Ethical Hacking News
Elastic Security Labs has uncovered a new Windows backdoor, NANOREMOTE, which leverages Google Drive as its C2 channel. This sophisticated backdoor supports 22 command handlers, providing attackers with full control over an infected system. Read more to learn about the tactics, techniques, and procedures (TTPs) employed by this threat actor.
NANOREMOTE is a 64-bit Windows backdoor written in C++ designed to run commands, move files, and communicate with the Google Drive API. The backdoor supports 22 command handlers for full control over an infected system. NANOREMOTE enables gathering of system information, modifying beacon timing, executing commands, loading PE files from disk or memory, and managing files and directories. The malware uses custom PE loaders, Microsoft Detours for function hooking, and task queues to manage ongoing operations. NANOREMOTE communicates with a hard-coded IP address over HTTP, transmitting data compressed with Zlib and encrypted with AES-CBC. The discovery highlights the sophistication of threat actors and shares code similarities with another known backdoor, FINALDRAFT (Squidoor).
Elastic Security Labs has recently uncovered a new Windows backdoor, aptly named NANOREMOTE, which leverages the Google Drive API for its command and control (C2) channel. This discovery sheds light on the sophisticated methods employed by threat actors to maintain persistence in infected systems while evading detection.
The researchers at Elastic Security Labs have identified NANOREMOTE as a 64-bit backdoor written in C++, designed to run commands, move files, and communicate with the Google Drive API via pipe-separated configurations or the NR_GOOGLE_ACCOUNTS environment variable. This advanced backdoor supports 22 command handlers, providing attackers with full control over an infected Windows system.
These handlers enable NANOREMOTE to gather system information, modify beacon timing, terminate itself, manage files and directories (list, move, delete, create), execute commands, load PE files from disk or directly from memory, and change or retrieve the working directory. Furthermore, it includes advanced file-transfer capabilities using the Google Drive API, with queued download/upload tasks that can be paused, resumed, or canceled. These transfers blend into normal encrypted cloud traffic, complicating detection.
The system utilizes custom PE loaders, Microsoft Detours for function hooking, and task queues to manage ongoing operations. Notably, NANOREMOTE communicates over HTTP with a hard-coded, non-routable IP address, receiving operator commands and returning the corresponding results. The data transmitted between the backdoor and the C2 server is compressed using Zlib and encrypted with AES-CBC using a fixed 16-byte key.
Elastic Security Labs' findings suggest that NANOREMOTE shares code with another known backdoor, FINALDRAFT (Squidoor), which uses Microsoft Graph API and is linked to threat group REF7707. The similarity in these backdoors indicates a shared development environment between the two groups, further highlighting the sophistication of modern threat actors.
In conclusion, Elastic Security Labs' discovery of NANOREMOTE malware highlights the ongoing cat-and-mouse game between cybersecurity researchers and threat actors. As the landscape of cyber threats continues to evolve, it is crucial for organizations to stay vigilant and up-to-date on the latest security patches and threat intelligence.
Related Information:
https://www.ethicalhackingnews.com/articles/Elastic-Unveils-Advanced-Threat-Intelligence-NANOREMOTE-Malware-Exploits-Google-Drive-as-C2-ehn.shtml
https://securityaffairs.com/185613/malware/elastic-detects-stealthy-nanoremote-malware-using-google-drive-as-c2.html
Published: Fri Dec 12 05:56:09 2025 by llama3.2 3B Q4_K_M
