NANOREMOTE malware aimed at attacking Windows users

NANOREMOTE malware aimed at attacking Windows users, accessing Google Drive, victim

The API or Application Programming Interface is a popular tool to help applications and systems work together seamlessly to the extent that they are used today. But by connecting, as mentioned, it has become a tool for hackers.

According to a report by the website, Cyberpress has mentioned the detection of a system back door or backdoor malware distribution campaign called NANOREMOTE by a research team from Elastic Security Labs, a cybersecurity expert organization, in October. The research team estimated that the malware was involved in spying campaigns like FINALDRAFT and REF7707. The malware's capabilities are called bad because it has a high level of command execution capabilities, data extraction capabilities, and, most importantly, the use of the Google Drive API to send malware files (payload). To embed the victim's system by converting Google Drive into a control server channel (C2 or Command and Control) to bypass local protection.

For embedded on the victim's machine, it starts with a loader called WMLOADER. The research team did not say what method the hacker used to trick the victim into opening the file. It only says that when inside the machine, the malware impersonates a process of cyberprotection software like Bitdefender called BDReinit.exe with a signature on the wrong file. After the malware embedded on the system, the malware reserved an Allocated Memory area to decryption and loaded Shellcode into memory to use. The AES-CBC algorithm to decode a malware file called wmsetup.log into memory again by running everything on this memory to complicate the detection system.

In the technical data section of this malware, NANOREMOTE is a malware written on the C + + language that has the ability to fully control endpoints and support 22 commands (Commands) for Reconnaissance, file management and folders on the victim's machine, other commands, to file traffic between the victim's machine and hackers. The latter has the use of a task manager with a traffic queuing system, traffic stops, traffic reactivations. (Resume) This file move system will be an OAuth 2.0 authentication. It joins the Google Drive / drive / v3 / files folder, allowing malware to use the victim's Google Drive at will.

The AES-CBC encryption system, in addition to being used to encrypt Payload files as mentioned above, is also used to encrypt communications between malware and C2 servers in HTTP Requests. It is a combination of Zlib compression, wired to IP numbers that are saved as constants.

In addition, the malware has the ability to stealth (Stealth) inside the system through the use of the libPeConv function to change the path (Maps) of PE type files within the memory to avoid being analyzed for loading such types of files. In addition, Microsoft's Detours Library is used to control (Hook) ExitProcess and FatalExit functions to prevent the process being successfully closed before running. Not only during operation, the malware also stores Log data that comes with GUID identification numbers and malware operation data within the Log folder.

The good news is that after Elastic Labs detected and analyzed the malware, the company successfully added this malware detection potential to its anti-malware products, making those who use the products of the company that updated the patch more secure from the malware.

# Welcome 2026 # Take care of yourself # Open budget # Includes IT matters # Windows