A sophisticated new Windows backdoor, dubbed NANOREMOTE, has been identified by cybersecurity researchers. This malware employs the legitimate Google Drive API for its command-and-control (C2) infrastructure, allowing for covert data exfiltration and payload staging while evading detection. The discovery highlights a growing trend of threat actors leveraging cloud services for malicious purposes.

Key Takeaways

• NANOREMOTE utilizes the Google Drive API for command-and-control (C2) operations.

• It shares code similarities with the FINALDRAFT malware, attributed to the REF7707 threat cluster.

• The malware is written in C++ and offers extensive capabilities, including reconnaissance, file transfer, and command execution.

• A loader named WMLOADER, masquerading as a Bitdefender component, is used to deploy the NANOREMOTE payload.

Stealthy Command and Control

NANOREMOTE's primary distinguishing feature is its reliance on the Google Drive API for communication. This allows it to ship data back and forth from infected Windows systems in a manner that closely resembles legitimate cloud storage activity, making it difficult for security solutions to detect. The malware includes a robust task management system for file transfers, enabling operators to queue, pause, resume, and cancel uploads and downloads.

Advanced Capabilities and Threat Actor Linkages

Written in C++, NANOREMOTE is a fully-featured backdoor capable of performing various malicious actions. These include gathering host information, executing files and commands, and manipulating files and directories on victim machines. It communicates with its C2 server via HTTP POST requests, which are Zlib compressed and AES-CBC encrypted, using a hard-coded, non-routable IP address and a specific URI () with a User-Agent.

Researchers have noted significant code similarities between NANOREMOTE and another implant known as FINALDRAFT. FINALDRAFT is associated with the REF7707 threat cluster, a suspected Chinese state-sponsored group that has targeted various sectors, including government, defense, and telecommunications, across Southeast Asia and South America since March 2023. This linkage suggests a shared development environment or toolset between these malware families.

The Loader and Execution Chain

The initial access vector for NANOREMOTE remains unknown. However, the observed attack chain involves a loader named WMLOADER. This loader mimics a legitimate Bitdefender crash handling component () to gain execution. Once active, WMLOADER decrypts shellcode responsible for launching the NANOREMOTE backdoor. Notably, WMLOADER and NANOREMOTE share the same AES key and operational structure found in FINALDRAFT deployments, further solidifying the connection between these threats.

To enhance its stealth and resilience, NANOREMOTE employs techniques such as manually mapping and executing Portable Executable (PE) files directly in memory using functions from the library. It also utilizes Microsoft's Detours library to hook system functions like and , preventing its own premature termination. The malware logs detailed activity and maintains resilience through exception handling and mini-dump creation for debugging purposes.

Sources

• NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems, The Hacker News.

• Windows Systems Targeted by NANOREMOTE Malware Using Google Drive API for C2 Attacks, Cyber Press.