Cybersecurity researchers have revealed details about a sophisticated new Windows backdoor called NANOREMOTE. This fully-featured malware utilizes the Google Drive API to establish its command-and-control (C2) channel, a technique that can make detection challenging for security systems. According to Elastic Security Labs, NANOREMOTE exhibits code similarities with another implant, FINALDRAFT (also known as Squidoor), which uses the Microsoft Graph API for its C2 communication. Both FINALDRAFT and NANOREMOTE are linked to a threat cluster identified as REF7707, which is also tracked under aliases such as CL-STA-0049, Earth Alux, and Jewelbug.

The primary function of NANOREMOTE is centered around transferring data between the victim’s machine and the threat actor via the Google Drive API. This process establishes a robust channel for data exfiltration and for staging additional malicious payloads, a significant hurdle for effective detection. The malware is equipped with an internal task management system to handle file transfer capabilities, including the ability to queue, pause, resume, or cancel download and upload tasks, and to generate necessary refresh tokens for the API connection.

REF7707 is suspected to be a Chinese activity cluster with a history of targeting high-value sectors such as government, defense, telecommunications, education, and aviation. The group’s activities have been observed in Southeast Asia and South America dating back to at least March 2023. While the exact initial method used to deliver NANOREMOTE is unknown, the observed attack chain involves a component called WMLOADER. This loader is designed to impersonate Bitdefender’s crash handling component, “BDReinit.exe,” and is responsible for decrypting and executing the shellcode that launches the NANOREMOTE backdoor.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

Written in C++, NANOREMOTE is a versatile tool capable of performing detailed system reconnaissance, executing commands and files, and facilitating file transfers using the Google Drive API. In addition to its Google Drive C2, it is preconfigured to communicate with a hard-coded, non-routable IP address over HTTP to receive and process operator requests. These requests use HTTP POST methods, with the JSON data being compressed using Zlib and encrypted with AES-CBC using a specific 16-byte key. All requests utilize the URI /api/client and a User-Agent string of NanoRemote/1.0.

The functionality of NANOREMOTE is realized through a comprehensive set of 22 command handlers. These handlers allow the threat actor to collect host information, manipulate files and directories, execute existing portable executable files on the disk, clear the malware’s cache, manage file transfers to and from Google Drive, and ultimately terminate the backdoor process. The discovery of an artifact uploaded from the Philippines that can be decrypted by WMLOADER using the same 16-byte key to reveal a FINALDRAFT implant strongly suggests a shared development pipeline and codebase between the two malware families, further confirming their link to the REF7707 threat actor.

Source: Nanoremote Malware Uses Google Drive API For Stealth Control On Windows Systems