Most people are now familiar with how destructive and damaging computer viruses such as a Trojan can be. Many are dealt with by antivirus software, though there are a few that are designed to circumvent attempts to stop them.
There is one NanoCore Remote Access Trojan (RAT), that is being spread through documents and has a unique way of preventing users from killing it.
Discovery of the Trojan
A cybersecurity team from Fortinet managed to capture a sample of it from a malicious Word Document.
The author is known as “Taylor Huddleston” and was sentenced to three years in prison. However, while the developer is now behind bars, the trojan has carried on infecting.
The document, called “eml_-_PO20180921.doc” is spread through phishing campaigns. It contains malicious VBA code which then initiates the trojan.
If you open the document, it will display a warning that tells you macros have been disabled. However, if you click to enable content, then the process of infecting your computer begins.
Researchers at Fortinet discovered that the latest version 126.96.36.199 is downloaded from the wwpdubai.com domain and then saved in the Windows temporary folder.
The Infection Process
If you are unlucky enough to execute this Trojan, it will check to see if it already exists and if antivirus is running. If not, two processes will start, one of which, dll.exe is designed to keep the Trojan running.
It uses netprotocol.exe and injects the NanoCode into memory. This includes a process class called “ProtectMe” which prevents the user from killing off the process.
Testing the Operation
The dangerous part of this Trojan is that the netprotocol.exe process cannot be killed. Researchers at Fortinet found they could not kill the process, even though it isn’t a system service.
NanoCore was first discovered in 2013 and can perform many disturbing functions. Not only is it a keylogger, but it also steals passwords, locks screens, and sends data to its operator.
The latest version was released in 2015 before its operator’s arrest in 2016.