Elastic Security Labs discovered a new Windows backdoor named NANOREMOTE that provides reconnaissance, command execution, and robust file transfer capabilities by abusing the Google Drive API for stealthy payload staging and data theft. The implant is delivered via a loader (WMLOADER) that masquerades as Bitdefender software, shares code and keys with FINALDRAFT, and uses HTTP-based C2 plus in-memory PE execution techniques. #NANOREMOTE #FINALDRAFT
Keypoints
- Elastic Security Labs identified NANOREMOTE, a 64-bit C++ Windows backdoor with 22 command handlers for discovery, command execution, and file transfer.
- The malware abuses the Google Drive API for both downloading staged payloads and exfiltrating files, using OAuth refresh tokens and encrypted uploads/downloads to blend with legitimate traffic.
- Initial delivery uses WMLOADER, which masquerades as BDReinit.exe (Bitdefender) and decrypts an embedded payload (wmsetup.log) via AES-CBC to load NANOREMOTE in memory.
- NANOREMOTE supports in-memory PE execution and a custom PE loader (libPeConv), Base64-encoded PE execution, and runtime hooking via Microsoft Detours to improve resiliency.
- Network C2 runs over HTTP (/api/client) with Zlib compression and AES-CBC encryption; requests include machine GUIDs and operator commands, and responses return output and success flags.
- Elastic provided YARA rules and detection via Elastic Defend (behavioral rules, ML, memory protection), and documented multiple SHA-256 observables and filenames linked to WMLOADER and NANOREMOTE.
MITRE Techniques
- [T1071.001 ] Application Layer Protocol (Web Protocols) – C2 communication over HTTP using /api/client with a NanoRemote/1.0 User-Agent (‘These requests occur over HTTP where the JSON data is submitted through POST requests that are Zlib compressed and encrypted with AES-CBC’).
- [T1567.002 ] Exfiltration to Cloud Storage – Abuse of the Google Drive API for uploading victim files and downloading staged payloads (‘One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API’).
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Remote command execution by spawning cmd.exe and returning output via pipes (‘The malware spawns cmd.exe, which in turn launches the specified command—in this case, whoami.exe’).
- [T1083 ] File and Directory Discovery – Remote listing and enumeration of folders and files by path, returning attributes like size and last modified date (‘This handler lists the folder contents using a provided file path from the operator’).
- [T1082 ] System Information Discovery – Collection of system and user details (OS, hostname, username, IPs, process info) to profile infected hosts (‘This handler enumerates system and user details to profile the victim environment:’).
- [T1055 ] Process Injection / In-memory Execution – Loading and executing PE files in memory (custom PE loader, libPeConv) and executing Base64-encoded PEs inside the NANOREMOTE process (‘This handler loads and executes a Base64 encoded PE file inside the existing NANOREMOTE process’ and ‘Memory Threat Detection Alert: Shellcode Injection’).
- [T1036 ] Masquerading – WMLOADER impersonates legitimate Bitdefender executable names and uses an invalid digital signature to blend in (‘WMLOADER masquerades as a Bitdefender Security program (BDReinit.exe) with an invalid digital signature’).
- [T1046 ] Network Service Discovery – Retrieval of internal/external IP addresses and network interface information using Windows socket ioctl calls (‘Uses WSAIoctl with SIO_GET_INTERFACE_LIST to retrieve internal and external IP address’).
- [T1105 ] Ingress Tool Transfer – Downloading additional tools and payloads to the victim via Google Drive file IDs and WinHTTP requests (‘When a download task is processed, NANOREMOTE will retrieve the size of the file hosted on Google Drive using the file ID… then download the file via WinHttpSendRequest’).
Indicators of Compromise
- [SHA-256 ] Samples observed in research – fff31726d253458f2c29233d37ee4caf43c5252f58df76c0dced71c4014d6902, 999648bd814ea5b1e97918366c6bd0f82b88f5675da1d4133257b9e6f4121475, and 3 more hashes.
- [File name ] Loader/payload filenames used in deployment – BDReinit.exe (WMLOADER), wmsetup.log (encrypted payload used by WMLOADER).
- [Google Drive file ID ] Files hosted on Google Drive for staging/exfiltration – 1BwdUSIyA3WTUrpAEEDhG0U48U9hYPcy7, 1qmP4TcGfE2xbjYSlV-AVCRA96f6Kp-V7.
- [URI / User-Agent ] Network indicators and API endpoints – /api/client (C2 endpoint), “/drive/v3/files/%s?alt=media” and User-Agent “NanoRemote/1.0”.
- [Encryption keys ] Hard-coded cryptographic keys observed in samples – AES key for C2: 558bec83ec40535657833d7440001c00, AES key used by WMLOADER: 3A5AD78097D944AC.