NF – NanoCore Trojan C2 – Traffic detected

This alert is triggered when network traffic containing a specific signature associated with the NanoCore Trojan Command and Control (C2) communication is detected. NanoCore is a Remote Access Trojan (RAT) that allows attackers to remotely control infected devices, steal data, and execute malicious commands. The detection is based on a payload pattern (|08 00 00 00|) typically found in NanoCore C2 traffic, and the rule monitors for repeated occurrences within a short time frame.

Categories:

ID Number

5003053

Signature

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - NanoCore Trojan C2 - Traffic detected"; flags:PA; flow:to_server,established; content:"|08 00 00 00|"; depth:4; detection_filter:track by_dst, count 20, seconds 2; flowbits:isset,NF-Nano; reference:url,networkforensic.dk; metadata:08012019; classtype:policy-violation; sid:5003053; rev:1;)

Severity

High

Recommendations/Investigative actions

Block traffic to the detected C2 server to prevent further interaction with the threat actor. Identify the device sending the traffic and Perform a thorough malware scan to detect and remove NanoCore or other malicious software.