MSIL/Nanocore.BT!tr

description-logoAnalysis


MSIL/Nanocore.BT!tr is a detection for a trojan with backdoor capabilities.
Below are some of its observed behaviours/characteristics:

  • It drops the following files:
    • undefinedAppDataundefined\[GUID]\Logs\[Username] : This is the folder where the malware store the logs.
    • undefinedAppDataundefined\[GUID]\run.dat : This is a data file.

  • This trojan gathers the following information:
    • Computer name
    • IP
    • Country
    • CPU usage
    • RAM usage
    • Active window
    • OS
    • Role
    • Architecture
    • Installed Anti-Virus
    • Firewall

  • This trojan has the following capabilities:
    • Reboot/Shutdown computer
    • Manipulate files
    • Manipulate running processes
    • Manipulate the registry
    • Execute shell commands
    • Remotely execute scripts/executables
    • Steal stored passwords
    • Enable/Disable webcam light
    • Open/Close CD Drive
    • Turn On/Off the monitor
    • Reverse mouse buttons
    • View DNS records
    • Keylogging
    • Browse logs
    • Spoof video feeds
    • Spoof audio feeds

  • This trojan sends the gathered information to its C&C:
    • 42.[removed]:47581
    • 41.[removed]:47581
    • 160.[removed]:47581


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-10-22 72.51600 Sig Updated
2019-09-11 71.52300 Sig Added