Meet NANOREMOTE, a newly-discovered Windows backdoor that leverages the Google Drive API for data theft and payload staging.

Khushal

Khushal

Level 13
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
596
3,596
1,169
Content source
https://www.elastic.co/security-labs/nanoremote
WMLOADER masquerades as a Bitdefender Security program (BDReinit.exe) with an invalid digital signature.

Based on the previous shellcode decryption routine, Elastic identified other related samples targeting Bitdefender and Trend Micro products when searching in VirusTotal.

As of writing this post both bitdefender and trendmicro do not detect this threat.

NANOREMOTE, cousin of FINALDRAFT — Elastic Security Labs

The fully-featured backdoor we call NANOREMOTE shares characteristics with malware described in REF7707 and is similar to the FINALDRAFT implant.
www.elastic.co www.elastic.co

1765435354063.png
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Trident, rashmi, simmerskool and 2 others
Khushal said:
WMLOADER masquerades as a Bitdefender Security program (BDReinit.exe) with an invalid digital signature.

Based on the previous shellcode decryption routine, Elastic identified other related samples targeting Bitdefender and Trend Micro products when searching in VirusTotal.

As of writing this post both bitdefender and trendmicro do not detect this threat.

NANOREMOTE, cousin of FINALDRAFT — Elastic Security Labs

The fully-featured backdoor we call NANOREMOTE shares characteristics with malware described in REF7707 and is similar to the FINALDRAFT implant.
www.elastic.co www.elastic.co

View attachment 293628
Click to expand...
What Elastic describes there is a classic case of AV‑masquerading: a loader drops an EXE that looks like part of a trusted security product (here, Bitdefender’s BDReinit.exe), but the digital signature does not validate.

A few practical takeaways from this

  • File name and “Properties” are not enough
    Malware authors can copy:
    • File name (BDReinit.exe)
    • Product name (“BitDefender Security”)
    • Copyright strings, version info, etc.
    Windows will happily display whatever they put into the PE resources. The only thing that really matters is:
    • The Digital Signatures tab – is there a valid signature from Bitdefender?
    • The file path – is it actually in Bitdefender’s install directory, or somewhere odd (user profile, temp, random folder)?
  • “Invalid digital signature” = immediate red flag
    If a binary claims to be from Bitdefender/Trend Micro but:
    • The signature tab is missing, or
    • The signature is present but reported as invalid,
    then you should treat it as suspicious and not trust it just because the Description or Product Name says “Bitdefender Security”.
  • Vendors not detecting (yet) is unfortunately normal
    Elastic often publishes very fresh campaigns. It’s not unusual that:
    • Static signatures are lagging behind for a while.
    • Detection might exist only in advanced/EDR rules, not in the consumer product yet.
    So your observation that Bitdefender and Trend Micro don’t currently flag those WMLOADER samples is believable. Signatures and heuristics will typically be updated once vendors triage the samples.
  • If you encounter such a file yourself
    • Upload the sample or at least the hash to VirusTotal / Hybrid Analysis to see multi‑engine opinions and behavior.
    • Submit it directly to Bitdefender / Trend Micro as a suspicious file (they both have sample submission portals).
    • Do not execute it further; if it already ran, run a full system scan with multiple reputable tools (on‑demand scanners) and consider posting logs in the Malware Removal section for a deeper look.

Hardening ideas against this kind of loader

  • Use an AV/EDR with strong behavior blocking, not just signatures.
  • On Windows Pro/Enterprise, enable Attack Surface Reduction rules and block suspicious child processes of Office, browsers, script interpreters, etc.
  • Be cautious with “installers” or “fix tools” that claim to be from AV vendors but come from third‑party sites, forums, e‑mail, cracked software etc.

If you’re looking at a specific BDReinit.exe on your system and are unsure whether it’s legitimate, you can post:
  • Its full path
  • A screenshot of the Digital Signatures tab
  • The SHA‑256 hash (from e.g. HashCheck or PowerShell)
and other members can help you judge whether it matches the real Bitdefender component or looks like the WMLOADER impersonation.
 
  • Like
Reactions: Khushal
Bot said:
What Elastic describes there is a classic case of AV‑masquerading: a loader drops an EXE that looks like part of a trusted security product (here, Bitdefender’s BDReinit.exe), but the digital signature does not validate.

A few practical takeaways from this

  • File name and “Properties” are not enough
    Malware authors can copy:
    • File name (BDReinit.exe)
    • Product name (“BitDefender Security”)
    • Copyright strings, version info, etc.
    Windows will happily display whatever they put into the PE resources. The onlything that really matters is:
    • The Digital Signatures tab – is there a valid signature from Bitdefender?
    • The file path – is it actually in Bitdefender’s install directory, or somewhere odd (user profile, temp, random folder)?
  • “Invalid digital signature” = immediate red flag
    If a binary claims to be from Bitdefender/Trend Micro but:
    • The signature tab is missing, or
    • The signature is present but reported as invalid,
    then you should treat it as suspicious and not trust it just because the Description or Product Name says “Bitdefender Security”.
  • Vendors not detecting (yet) is unfortunately normal
    Elastic often publishes very fresh campaigns. It’s not unusual that:
    • Static signatures are lagging behind for a while.
    • Detection might exist only in advanced/EDR rules, not in the consumer product yet.
    So your observation that Bitdefender and Trend Micro don’t currently flag those WMLOADER samples is believable. Signatures and heuristics will typically be updated once vendors triage the samples.
  • If you encounter such a file yourself
    • Upload the sample or at least the hash to VirusTotal / Hybrid Analysis to see multi‑engine opinions and behavior.
    • Submit it directly to Bitdefender / Trend Micro as a suspicious file (they both have sample submission portals).
    • Do not execute it further; if it already ran, run a full system scan with multiple reputable tools (on‑demand scanners) and consider posting logs in the Malware Removal section for a deeper look.

Hardening ideas against this kind of loader

  • Use an AV/EDR with strong behavior blocking, not just signatures.
  • On Windows Pro/Enterprise, enable Attack Surface Reduction rules and block suspicious child processes of Office, browsers, script interpreters, etc.
  • Be cautious with “installers” or “fix tools” that claim to be from AV vendors but come from third‑party sites, forums, e‑mail, cracked software etc.

If you’re looking at a specific BDReinit.exe on your system and are unsure whether it’s legitimate, you can post:
  • Its full path
  • A screenshot of the Digital Signatures tab
  • The SHA‑256 hash (from e.g. HashCheck or PowerShell)
and other members can help you judge whether it matches the real Bitdefender component or looks like the WMLOADER impersonation.
Click to expand...
On VT still only about half a dozen vendors detect these threats.
 
  • Like
  • Wow
Reactions: Trident, rashmi and simmerskool
Khushal said:
On VT still only about half a dozen vendors detect these threats.
Click to expand...
That’s unfortunately very typical for fresh or low‑volume campaigns, especially when they abuse legit‑looking AV components.

Why VT detections can stay low

  • Vendors prioritize what they actually see in the wild
    If WMLOADER is very targeted or low‑spread, it may not be high on every vendor’s priority list yet, so static signatures take longer.
  • Cloud/behavior vs. static signatures
    Some products rely more on:
    • Cloud lookups
    • Behavioral rules / EDR telemetry
    • Memory and script heuristics
    Those aren’t always reflected as a simple “name” in VirusTotal’s static scan of a standalone file.
  • Obfuscation & loaders
    Loaders often change packers, encryption keys, or minor code details between samples. Each variant might need:
    • A generic heuristic that’s hard to tune without FPs, or
    • New specific signatures per variant
    so coverage looks spotty for a while on VT.
  • VT ≠ real‑world protection level
    A file that looks under‑detected on VT might still be:
    • Blocked in real time because of URL / reputation / behavior
    • Quarantined only when executed under certain conditions
    VT only shows “this exact binary, scanned statically, right now”.

What you can practically do

  • If you have a sample, submit it directly to Bitdefender, Trend Micro, and any vendor you use. Direct submissions usually speed up coverage.
  • Don’t assume “few detections = safe” – always treat such files as suspicious if they:
    • Masquerade as security software
    • Have invalid/missing signatures
    • Live in odd locations (Temp, user folders, etc.)
  • Use at least one extra on‑demand scanner (e.g. ESET Online, Kaspersky Virus Removal Tool, Emsisoft Emergency Kit) if you suspect compromise.

If you want, you can share the hash (not the file itself) here, and others may be able to track how detections evolve over time or see if it matches known WMLOADER clusters.
 
  • Like
Reactions: Khushal
You must log in or register to reply here.

You may also like...