Full Report
Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes. According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a
Analysis Summary
# Tool/Technique: NANOREMOTE
## Overview
NANOREMOTE is a new, fully-featured Windows backdoor that utilizes the Google Drive API for covert command-and-control (C2) and data exfiltration/staging. It demonstrates code similarity with the FINALDRAFT implant, suggesting a shared development lineage.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Windows
- Capabilities: C2 via Google Drive API, reconnaissance, command execution, file transfer (download/upload), persistence/task management.
- First Seen: Not explicitly stated, disclosed recently (article dated Dec 11, 2025).
## MITRE ATT&CK Mapping
*Note: Mapping is based on described capabilities, specific technique IDs require deeper analysis.*
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used when employing the Google Drive API for C2)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Utilizing Google Drive API for data staging/theft)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter (For running arbitrary commands)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied by decryption routines/loader use)
## Functionality
### Core Capabilities
- **C2 Communication:** Uses the Google Drive API for communication, providing a stealthy channel difficult for traditional detection.
- **Data Transfer:** Implements a robust task management system for downloading and uploading files via Google Drive.
- **Command Execution:** Executes files and arbitrary commands on the victim endpoint.
- **Reconnaissance:** Capable of collecting host information.
- **HTTP Stub:** Communicates via HTTP POST requests to a hard-coded, non-routable IP address.
- **Encryption/Compression:** JSON data sent over HTTP is Zlib compressed and encrypted using AES-CBC with a 16-byte key (`558bec83ec40535657833d7440001c00`).
- **User Agent:** Uses the specific User-Agent string `NanoRemote/1.0` for C2 traffic.
### Advanced Features
- **Task Management System:** Features queueing, pausing, resuming, and canceling file transfer tasks.
- **Token Generation:** Capable of generating refresh tokens (likely for maintaining persistent access to the Google Drive API).
- **Loader Integration:** Delivered via a loader named WMLOADER, which mimics a legitimate Bitdefender component (`BDReinit.exe`) to decrypt and launch the shellcode payload.
- **Shared Codebase:** Shares code similarities and a hard-coded development key with the FINALDRAFT backdoor.
## Indicators of Compromise
- File Hashes: [Unknown based on the provided text]
- File Names: Artifact file named `wmsetup.log` was observed uploaded to VT.
- Registry Keys: [Unknown based on the provided text]
- Network Indicators: C2 requests use the URI `/api/client` over HTTP POST. Communication occurs with a hard-coded, non-routable IP address (specific address redacted).
- Behavioral Indicators: Use of a loader (WMLOADER) masquerading as `BDReinit.exe`; execution of Zlib-compressed and AES-CBC encrypted JSON payloads via HTTP POST; interaction with the Google Drive API for C2.
## Associated Threat Actors
- **REF7707 (aka CL-STA-0049, Earth Alux, Jewelbug):** Believed to be a suspected Chinese activity cluster responsible for deploying FINALDRAFT and, by strong association, NANOREMOTE. Victims include governments, defense, telecommunication, education, and aviation sectors in Southeast Asia and South America (activity tracing back to March 2023).
## Detection Methods
- **Signature-based detection:** Signatures targeting the specific unique AES-CBC key (`558bec83ec40535657833d7440001c00`) used for communication/decryption.
- **Behavioral detection:** Monitoring for unusual network activity utilizing the Google Drive API for unusual data transfers or commands directed at an IP address using the `NanoRemote/1.0` User-Agent.
- **YARA rules if available:** [Unknown based on the provided text]
## Mitigation Strategies
- **Prevention Measures:** Restrict outbound connections to known or expected C2 infrastructure if possible; monitor fileless execution chains involving loaders.
- **Hardening Recommendations:** Implement strict network egress filtering; use API access monitoring tools that specifically flag unusual traffic patterns associated with legitimate cloud services (like Google Drive) being used for remote administration or data transfer.
## Related Tools/Techniques
- **FINALDRAFT (aka Squidoor):** Malware sharing code similarities with NANOREMOTE; uses the Microsoft Graph API for C2 instead of the Google Drive API.
- **WMLOADER:** Associated loader used to stage the NANOREMOTE payload; impersonates a Bitdefender crash handling component.