Newly emergent NANOREMOTE malware sets sights on Windows systems

Windows systems are aimed to be compromised by the new NANOREMOTE backdoor, which overlaps with the FINALDRAFT implant linked to suspected Chinese threat operation REF7707, also known as Earth Alux, JewelBug, and CL-STA-0049, reports The Hacker News. Unlike FINALDRAFT that uses Microsoft Graph API for command-and-control, NANOREMOTE facilitates C2 through Google Drive API, allowing clandestine data exfiltration and payload staging, according to an analysis from Elastic Security Labs. While details regarding its initial access vector remains uncetain, NANOREMOTE was observed to have been deployed through the Bitdefender crash landing component-spoofing WMLOADER. "Our hypothesis is that WMLOADER uses the same hard-coded key due to being part of the same build/development process that allows it to work with various payloads. This appears to be another strong signal suggesting a shared codebase and development environment between FINALDRAFT and NANOREMOTE," said Elastic Security Labs principal security researcher Daniel Stepanic.