NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems.

NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems.

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems.

Information

   Google Drive is a cloud file storage service developed by Google. It provides users with online storage space, allowing them to save all types of files such as documents, photos, videos, and backups on Google's servers.       Google Drive API is a set of tools and protocols that allow software developers to create applications that can interact with and manage data stored in Google Drive directly through code, instead of requiring user intervention for management.

Incident

  Cybersecurity researchers have recently uncovered a new and highly sophisticated Windows backdoor malware, named NANOREMOTE, that leverages the Google Drive API as its primary command-and-control (C2) communication channel. This design enables attackers to remotely control infected computers and exfiltrate data while blending malicious traffic with legitimate cloud service activity, making detection exceptionally difficult.

   According to Elastic Security Labs, NANOREMOTE shares significant code similarities with another backdoor known as FINALDRAFT (also called Squidoor), which uses the Microsoft Graph API for C2. This connection suggests that both malware families may originate from the same sophisticated threat actor, believed to be associated with the REF7707 espionage cluster a group linked to state-aligned Chinese hacking operations targeting governments, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America.

  NANOREMOTE was first identified in October 2025. A key component of its attack chain is a loader program called WMLOADER, which masquerades as a legitimate Bitdefender crash handler (BDReinit.exe). Once executed, WMLOADER decrypts a shellcode that launches the NANOREMOTE backdoor.

Incident

Picture 1 NANOREMOTE command-and-control workflow using Google Drive

Written in C++, the malware is engineered with broad stealth and control capabilities:

  • Command execution.
  • File and directory operations.
  • Information gathering from the host system.
  • Data transfer using Google Drive API
  • Encrypted communication over HTTP using AES-CBC and Zlib compression.

By exploiting a trusted cloud API like Google Drive, NANOREMOTE’s network communications hide within normal traffic, making it harder for traditional security defenses (such as firewalls and intrusion detection systems) to distinguish malicious activity from legitimate use.

Recommendation

  1. Monitor for abnormal Google Drive API usage.
  2. Deploy Endpoint Detection and Response (EDR) solutions to identify.
  3. Restrict Google Drive API access to approved applications only.
  4. Use Network Traffic Analysis (NTA) to detect behavioral anomalies.
  5. Avoid installing programs that are not from official sources.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)

References

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2025-7195

07/08/2025

06/12/2025

Operator-SDK versions prior to 0.15.2

Local Privilege Escalation

5.2

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments using random UIDs. In Operator-SDK versions prior to 0.15.2, a script named user_setup modified the permissions of the /etc/passwd file to 664 during the build process.
An attacker who can execute commands inside an affected container, even as a non-root user, could abuse their membership in the root group to modify the /etc/passwd file.

Update to version 0.15.2 or late

 

https://app.opencve.io/cve/CVE-2025-7195
2

CVE-2025-12196

04/12/2025

05/12/2025

The following Fireware OS versions:
Version 12.0: from 12.0 through 12.11.4
Version 12.5: from 12.5 through 12.5.13
Version 2025.1: from 2025.1 through 2025.1.2

Out-of-Bounds Write

8.6

There is an out-of-bounds write vulnerability in the CLI of WatchGuard Fireware OS that could allow an authenticated user with elevated privileges to execute arbitrary code through specially crafted CLI commands.

Update Fireware OS to the following versions:
Version 12.11.5
Version 12.5.14
Version 2025.1.3

https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00020
3

CVE-2025-22399

02/11/2025

05/12/2025

Dell UCC Edge version 2.3.0

Server-Side Request Forgery

7.9

An unauthenticated attacker with local access can exploit this vulnerability, which may lead to a Server-Side Request Forgery (SSRF) attack.

This vulnerability allows an attacker to force the server to send requests to other systems specified by the attacker, even without being logged in.

Update to version 3.0.0 or later

https://www.dell.com/support/kbdoc/en-th/000279299/dsa-2025-043-security-update-for-dell-ucc-edge-security-update-for-multiple-vulnerabilities
 4

CVE-2025-60854

02/12/2025

03/12/2025

D-Link R15 (AX1500) version 1.20.01 and below

Command Injection

9.8

An attacker can manipulate the model name parameter during a password change request on the web administrator page.

This parameter manipulation can trigger command injection in the httpd process, which may allow the attacker to execute system commands on the device.

Update to version 1.20.02 or later

https://app.opencve.io/cve/CVE-2025-60854
5

CVE-2025-13492

03/12/2025

04/12/2025

HP Image Assistant versions prior to 5.3.3

Local Privilege Escalation

5.4

This vulnerability could allow a local attacker to perform privilege escalation by exploiting a race condition during the package installation process.

Update to version 5.3.3

https://support.hp.com/us-en/document/ish_13505078-13505143-16/hpsbgn04078

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

ClickFix attack surge: fake ChatGPT Atlas installers steal passwords​

04/12/2025​

ClickFix attack​

As reported by HackRead, a significant 517% increase in the deceptive ClickFix attack. Threat actors are leveraging this social engineering tactic by distributing fake ChatGPT Atlas installers to trick users into running password-stealing software. A near-perfect replica of a ChatGPT Atlas installer site, with the only giveaway being a Google Sites URL. The attack's core involves tricking users into copying and pasting obfuscated commands into their computer's command line. This seemingly innocuous action executes a remote script that repeatedly prompts for a password until it's stolen, enabling privilege escalation to administrator access.​
  • Avoid clicking on suspicious links or downloading software from untrusted sources.​
  • The organization conducts regular awareness training for all employees.​

Ref: https://www.scworld.com/brief/clickfix-attack-surge-fake-chatgpt-installers-steal-passwords

 

16 December 2025

Viewed 245 time

Engine by shopup.com