Catching a RAT: How Redborder Detected and Contained NanoCore
Our network detection and response (NDR) identified and responded to suspicious NanoCore RAT activity. Through continuous traffic inspection, real-time threat modeling and automated response capabilities, we continue to successfully neutralize developing attacks before they escalate or exfiltrate sensitive data.
What is a Remote Access Trojan (RAT)?
RATs remain a staple in the cybercriminal toolkit. Once installed, these tools allow threat actors full remote control over a victim’s device, enabling surveillance, data theft, lateral movement and more. Modern RATs are lightweight and often evade basic endpoint defenses.
What is NanoCore?
NanoCore is one of the most widely used RATs globally. First appearing in underground markets around 2013, it quickly gained traction due to its powerful features. Despite being originally marketed as a remote administration tool, it has been repeatedly abused by cybercriminals. It’s been linked to campaigns targeting energy providers, educational institutions and manufacturing companies, including those lacking advanced network detection.
How Does NanoCore Work?
NanoCore typically arrives via phishing attachments (e.g., Word documents or zipped executables). Once launched, it installs silently, establishes persistence and begins beaconing to its command-and-control (C2) server.
Key Capabilities:
- Keylogging
- Webcam and microphone spying
- File exfiltration
- Remote desktop control
- Registry manipulation
- Plugin support for added functionalities
- Anti-VM and sandbox evasion
Redborder’s Detection of NanoCore
We observed anomalous lateral movement and encrypted outbound connections from a previously clean device inside a customer network. The device began communicating with an unusual external IP over a non-standard port, consistent with typical NanoCore C2 behavior.
Traffic Pattern Alerts:
Our Borderlock anomaly-based engine flagged:
- “Suspicious Beaconing Behavior to Rare External IP”
- “Encrypted Communication with Unknown Certificate”
Further inspection of packet metadata revealed:
- Unusual intervals consistent with heartbeat signals
- Inbound remote shell commands and outbound file movement attempts
- Self-signed certificate, common in NanoCore setups
Redborder automatically mapped this behavior to MITRE ATT&CK techniques including:
- T1056 – Keylogging
- T1041 – Exfiltration Over C2 Channel
- T1219 – Remote Access Software
Response in Real Time
Our Autonomous Threat Response took immediate action:
- Isolated the affected device from the rest of the network
- Blocked outbound traffic to the suspicious endpoint
- Generated IoC logs and alerts for the security team
- Enabled a full forensic replay of lateral movement for post-mortem analysis
Live traffic monitoring prevented the execution of secondary payloads, which RATs like NanoCore often deliver, such as ransomware or credential stealers.
Indicators of Compromise (IoCs)
- Unusual outbound communication to rare external IPs
- Non-standard ports used for C2 channels
- Self-signed certificates with generic issuers
- Malicious attachments disguised as everyday files
Conclusion
Tools like NanoCore are powerful, adaptable, and still actively used in targeted and opportunistic cyberattacks. Traditional antivirus often misses them, especially when encrypted traffic or custom loaders are involved. We detect these threats by analyzing real network behavior, not just signatures. Proactive monitoring, lateral movement detection and automated isolation can stop attacks before damage is done.
Visibility is everything.
Want to see Redborder in action?
👉 Request a Live Demo | 📞 Contact Sales | 📄 Read our Latest Threat Report
