Cybersecurity researchers have uncovered a sophisticated new Windows backdoor, dubbed 'NanoRemote,' that leverages the Google Drive API for covert command-and-control (C2) operations. This advanced malware allows threat actors to steal data and stage payloads in a manner that is exceptionally difficult to detect, posing a significant threat to targeted organizations.

Key Takeaways

• Stealthy C2: NanoRemote utilizes the Google Drive API for command and control, making its communications blend in with legitimate cloud traffic.

• Code Similarity: Shares code with FINALDRAFT (Squidoor), an implant linked to the suspected Chinese threat cluster REF7707.

• Targeted Sectors: REF7707 has a history of targeting governments, defense, telecommunications, education, and aviation in Southeast Asia and South America.

• Loader Mimicry: Employs a loader named WMLOADER that disguises itself as a Bitdefender component to deploy the backdoor.

• Full Functionality: Capable of reconnaissance, file operations, command execution, and data exfiltration.

Advanced Functionality and C2 Mechanism

NanoRemote is a fully-featured Windows backdoor written in C++. Its primary function revolves around its ability to transfer data to and from victim endpoints using the Google Drive API. This feature is crucial for both data theft and the staging of additional malicious payloads, making detection a significant challenge for security teams.

The malware includes a robust task management system specifically designed for file transfer operations. This system allows operators to queue download and upload tasks, pause or resume ongoing transfers, cancel them entirely, and even generate refresh tokens for persistent access.

Communication with the operator occurs over HTTP. JSON data is sent via POST requests, which are then compressed using Zlib and encrypted with AES-CBC using a specific 16-byte key. All requests are directed to the URI with a distinctive string of .

Threat Actor and Targeting

NanoRemote is believed to be the work of the same threat actor behind FINALDRAFT, a malware family attributed to the REF7707 activity cluster. This group, also known by aliases such as CL-STA-0049, Earth Alux, and Jewelbug, is suspected to be of Chinese origin. Their targets have historically included sensitive sectors such as government, defense, telecommunications, education, and aviation, primarily in Southeast Asia and South America, with activity dating back to at least March 2023.

Recent reports have also linked REF7707 to a prolonged intrusion targeting a Russian IT service provider. The exact initial access vector for NanoRemote remains unknown, but the observed attack chain involves the WMLOADER, which impersonates a legitimate Bitdefender crash handling component () to decrypt and execute its shellcode, ultimately launching the backdoor.

Shared Development and Artifacts

Security researchers noted a strong connection between NanoRemote and FINALDRAFT, evidenced by shared code similarities and the use of the same hard-coded encryption key. An artifact found on VirusTotal, uploaded from the Philippines, was capable of being decrypted by WMLOADER to reveal a FINALDRAFT implant. This suggests a shared codebase and development environment, further strengthening the hypothesis that both malware families originate from the same threat actor.

NanoRemote's capabilities are extensive, managed through 22 distinct command handlers. These allow for comprehensive host information gathering, file and directory manipulation, execution of portable executable files, cache clearing, Google Drive file operations, transfer management, and self-termination.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems, The Hacker News.