MSIL/Nanocore.BT!tr

Analysis

MSIL/Nanocore.BT!tr is a detection for a trojan with backdoor capabilities.
Below are some of its observed behaviours/characteristics:

• It drops the following files:
  
  • %AppData%\[GUID]\Logs\[Username] : This is the folder where the malware store the logs.
  • %AppData%\[GUID]\run.dat : This is a data file.


• This trojan gathers the following information:
  
  • Computer name
  • IP
  • Country
  • CPU usage
  • RAM usage
  • Active window
  • OS
  • Role
  • Architecture
  • Installed Anti-Virus
  • Firewall


• This trojan has the following capabilities:
  
  • Reboot/Shutdown computer
  • Manipulate files
  • Manipulate running processes
  • Manipulate the registry
  • Execute shell commands
  • Remotely execute scripts/executables
  • Steal stored passwords
  • Enable/Disable webcam light
  • Open/Close CD Drive
  • Turn On/Off the monitor
  • Reverse mouse buttons
  • View DNS records
  • Keylogging
  • Browse logs
  • Spoof video feeds
  • Spoof audio feeds


• This trojan sends the gathered information to its C&C:
  
  • 42.[removed]:47581
  • 41.[removed]:47581
  • 160.[removed]:47581

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.