好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读文章,理解其主要内容。 文章主要讲的是Elastic发现了一个新的Windows后门程序,叫做NANOREMOTE。它和之前的FINALDRAFT/REF7707类似,使用Google Drive作为C2服务器。这个恶意软件通过Google Drive API进行数据传输,很难被检测到。它还有其他功能,比如执行命令、文件管理等。 接下来,我需要提取关键信息:发现者是Elastic,恶意软件名称是NANOREMOTE,使用Google Drive作为C2,与FINALDRAFT有关联,功能包括数据传输、文件管理等。 然后,我要把这些信息浓缩成一句话,不超过100字。要确保涵盖主要点:发现者、恶意软件名称、功能、C2机制以及关联的威胁组织。 最后,检查字数是否符合要求,并确保语句通顺。 </think> Elastic发现了一个新的Windows后门程序NANOREMOTE,该恶意软件利用Google Drive API作为C2服务器,并与威胁组织REF7707关联的FINALDRAFT恶意软件共享代码。它通过加密通信和文件传输功能实现隐蔽操作。 2025-12-12 11:11:36 Author: securityaffairs.com(查看原文) 阅读量:1 收藏
Elastic detects stealthy NANOREMOTE malware using Google Drive as C2
Pierluigi Paganini
December 12, 2025
Elastic found a new Windows backdoor, NANOREMOTE, similar to FINALDRAFT/REF7707, using the Google Drive API for C2.
Elastic Security Labs researchers uncovered NANOREMOTE, a new Windows backdoor that uses the Google Drive API for C2. Elastic says it shares code with the FINALDRAFT (Squidoor) implant, which uses Microsoft Graph API and is linked to threat group REF7707.
“One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API.” reads the report published by Elastic. “This feature ends up providing a channel for data theft and payload staging that is difficult for detection.”
WMLOADER, a loader disguised as a Bitdefender executable with an invalid signature, prepares the process for shellcode execution using VirtualAlloc/VirtualProtect. The shellcode, decrypted via rolling XOR, searches for wmsetup.log and decrypts it with AES-CBC using a fixed key, loading the NANOREMOTE backdoor into memory. Similar loaders mimic Bitdefender and Trend Micro. NANOREMOTE is a 64-bit backdoor written in C++ that runs commands, moves files, and uses the Google Drive API via pipe-separated configs or the NR_GOOGLE_ACCOUNTS environment variable.
NANOREMOTE communicates over HTTP with a hard-coded, non-routable IP, receiving operator commands and returning the corresponding results.
“As mentioned previously, NANOREMOTE’s C2 communicates with a hard-coded IP address. These requests occur over HTTP where the JSON data is submitted through POST requests that are Zlib compressed and encrypted with AES-CBC using a 16-byte key (558bec83ec40535657833d7440001c00). The URI for all requests use /api/client with User-Agent (NanoRemote/1.0).” continues the report.
NANOREMOTE supports 22 command handlers enabling full control over an infected Windows system. These handlers let attackers gather system info, modify beacon timing, terminate the implant, and manage files and directories (list, move, delete, create). The backdoor can execute commands, load PE files from disk or directly from memory, and change or retrieve the working directory.
It also includes advanced file-transfer capabilities using the Google Drive API, with queued download/upload tasks that can be paused, resumed, or canceled. These transfers blend into normal encrypted cloud traffic, complicating detection. Handlers also collect disk info, profile the victim, and maintain persistence and controlled teardown. The system uses custom PE loaders, Microsoft Detours for function hooking, and task queues to manage ongoing operations
“Our hypothesis is that WMLOADER uses the same hard-coded key due to being part of the same build/development process that allows it to work with various payloads. It’s not clear why the threat group behind these implants are not rotating the key, it’s possibly due to convenience or testing.” concludes the report. “This appears to be another strong signal suggesting a shared codebase and development environment between FINALDRAFT and NANOREMOTE.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
如有侵权请联系:admin#unsafe.sh