Anti-Malware , DDoS , DDoS Protection

'NanoCore RAT' Developer Gets 33-Month Prison Sentence

Arkansas Man Admits Developing, Selling Software Intended for Malicious Use
'NanoCore RAT' Developer Gets 33-Month Prison Sentence
Security researchers say NanoCore RAT was marketed on Hack Forums and sold via a dedicated site.

An Arkansas developer has been sentenced to serve more than two years in prison for developing and selling malware and malware distribution tools.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

Taylor Huddleston, 27, of Hot Springs, Arkansas, was sentenced by U.S. District Judge Liam O'Grady on Friday to serve a 33-month term.

In July 2017, Huddleston pleaded guilty to charges of aiding and abetting computer intrusions by developing, marketing and distributing a prolific remote access Trojan called NanoCore RAT, as well as "Net Seal" licensing software. Huddleston had faced a prison sentence of up to 10 years (see Is US Computer Crime Justice Draconian?).

NanoCore was designed to steal information from PCs, including passwords and emails; access, modify and obtain copies of any files on the PC; surreptitiously activate webcams to spy on victims; as well as log keystrokes, according to court documents.

Net Seal was licensing software that could be used to distribute malware. Huddleston typically sold 50 licenses at a time for Net Seal, meaning users could use it to distribute their software - "either malicious software or other software" - to 50 PCs, resulting in his receiving "thousands of payments via PayPal from Net Seal customers," according to court documents.

RAT Attacks

NanoCore RAT was tied to attacks in at least 10 countries, including 2015 attacks against energy firms in the Middle East and Asia.

Huddleston originally claimed that NanoCore was a legitimate remote access tool designed to allow IT administrators to remotely manage their networks. After he was arrested in early 2017, attorney Travis Morrissey, who represented Huddleston at his bail hearing, told the Daily Beast's Kevin Poulson that the defendant shouldn't be held responsible for a legitimate product that buyers used in an illegal manner.

"Everybody seems to acknowledge that this software product had a legitimate purpose," Morrissey said. "It's like saying that if someone buys a handgun and uses it to rob a liquor store, that the handgun manufacturer is complicit."

Prosecutors, however, argued that Huddleston intentionally developed and sold the software for criminal use, making it a remote access Trojan.

"Huddleston designed the NanoCore RAT for the purpose of enabling its users to commit unauthorized and illegal intrusions against victim computers," Assistant U.S. Attorney Kellen Dwyer wrote in a 14-page indictment unsealed in 2017.

Last July, in a statement of facts signed by Huddleston, he admitted that he'd intended his products to be used maliciously.

Marketed on Hack Forums

Security researchers say NanoCore was first released in early 2013. A version cataloged by security firm Trend Micro in December 2016 was 1.4 MB in size.

The software was formerly sold via the nanocore.io websites. (The domain name changed hands last year, after Huddleston pleaded guilty, and is now registered to Walter Jorge Kavaliauskas, a prolific domain parker.)

Huddleston admitted to marketing NanoCore on the infamous social network called Hack Forums. The script-kiddie - or skiddy - site, described as "a wretched hive of scum and villainy" by Robert McArdle, a cybercrime researcher at security firm TrendMicro, allows participants to buy and trade cybercrime tools.

Huddleston admitted to selling NanoCore to at least 350 Hack Forum users. But Symantec reports that free, "cracked" versions of the software have also been in circulation since December 2013.

Teardown: NanoCore RAT

An analysis of NanoCore published last year by The DigiTrust Group, a managed information security services provider, said that the RAT sold for $25 but could be upgraded with additional functionality.

NanoCore RAT was distributed in part via website pop-ups claiming users needed to update their Adobe Flash Player. (Source: The DigiTrust Group)

"While NanoCore has created base plugins to expand its functionality, the NanoCore 'community' has been creating additional plugins for more specific malicious actions," DigiTrust researchers said. "A search for NanoCore plugins online provides pages of results and plugins going far beyond the base plugins provided from NanoCore's website. Plugins ranging from screen lockers to [cryptocurrency] miners are available for download online."

NanoCore plugins offered a ransomware capability as well as the ability to use infected endpoints to launch stresser/booter distributed denial-of-service attacks against others, according to court documents.

NanoCore plugins were developed in part by its community of users. (Source: The DigiTrust Group)

The DigiTrust Group said an employee at one of its clients, a large retail organization, encountered the malware after clicking on a fake pop-up window that promised an Adobe Flash Player update.

One NanoCore plugin offered users the ability to infect PCs and remotely active and intercept the webcam feed, without turning on the webcam light.

Tied to Keylogger Attacks

Huddleston, who joined Hack Forums under the username "Aeonhack," also admitted to working with Zachary Shames, a Virginia college student who went by "Mephobia" on Hack Forums.

In January 2017, Shames - then 21 years old - pleaded guilty to selling a keylogger to 3,000 individuals that was used to infect over 16,000 victim computers.

Huddleston, in the statement of facts he signed in July 2017, admitted that he'd helped Shames distribute the malware via Net Seal.

Shames paid Huddleston $7.40 via PayPal in May 2012 in exchange for being able to use Net Seal to distribute the Limitless keylogger to others, according to court documents.

Huddleston also has admitted that NanoCore was used in a large-scale phishing attack in August 2016 that targeted at least 6,000 PCs via a fake invoice in PDF format. "The attachment in fact contained a link to a malicious executable that, if clicked by the victim, would send a request to download NanoCore onto the victim's computer from a remote server," according to court documents.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.