Threat Research

NukeSped RAT Report – CYFIRMA

Securonix

NukeSped RAT is a Windows-based remote access trojan attributed to the Lazarus Group that uses phishing Word documents with malicious macros to drop staged payloads. It exfiltrates data, captures keystrokes and screenshots, and downloads additional payloads, employing obfuscation and in-memory loading techniques, with new variants exploiting Log4j on unpatched VMware Horizon servers. #NukeSped #LazarusGroup #Log4shell #VMwareHorizon #AlgStore #mshta #WMI #PowerShell

Keypoints

  • NukeSped RAT is attributed to Lazarus Group, active across Asia Pacific and targeting its victims with malicious Word documents containing macros.
  • The infection chain starts from a phishing/spear-phishing email delivering a Word document that enables a macro to run.
  • The first-stage loader (AlgStore.exe) decrypts and loads the second-stage payload in memory to perform further actions.
  • The second-stage payload collects system information, captures keystrokes and screenshots, and exfiltrates data to remote C2 servers while creating a mutex to prevent multiple instances.
  • The macro workflow uses WMI (wmiprvse), mshta, and a BMP/ZIP dropper technique to conceal the payload delivery.
  • New variants since Jan 2022 exploit Log4j on unpatched VMware Horizon servers and exhibit anti-analysis features and multiple capabilities.
  • IOCs include several MD5 hashes, URLs, mutex names, and hardcoded strings used by the malware.

MITRE Techniques

  • [T1566] Phishing – The malware is distributed through phishing or spear phishing emails having malicious attachments. [‘The malware is distributed through phishing or spear phishing emails having malicious attachments.’]
  • [T1082] System Information Discovery – The second-stage payload gathers system information. [‘Gather system information’]
  • [T1083] File and Directory Discovery – Discovery of files and directories during payload exploration. [‘Files & Directory Discovery’]
  • [T1204.002] Malicious File – The macro executes a malicious file as part of the infection chain. [‘the macro will execute’, ‘malicious code’]
  • [T1059.001] PowerShell – The malware uses PowerShell to run commands. [‘Power Shell’]
  • [T1059.003] Windows Command Shell – Command prompt is used to execute commands like edg89C0.bat. [‘command prompt to execute file “edg89C0.bat”’]
  • [T1059.007] JavaScript – Embedded JavaScript code drops payloads. [’embedded javascript code to drop a payload’]
  • [T1070.004] File Deletion – The loader deletes itself after execution. [‘deletes itself subsequently’]
  • [T1027] Obfuscated/Compressed Files and Information – Strings and API calls are obfuscated with base64 and RC4. [‘encoded with base64 and RC4’]
  • [T1113] Screen Capture – The malware captures keystrokes and screenshots. [‘Keylogging’, ‘Screen Capture’]
  • [T1041] Exfiltration Over C2 Channel – Data is exfiltrated to C2 servers. [‘exfiltrate data and establish connections with C2 servers’]

Indicators of Compromise

  • [MD5] Word Doc – 71759cca8c700646b4976b19b9abd6fe
  • [MD5] Loader – 1BB267C96EC2925F6AE3716D831671CF
  • [URL] Communication – hxxp://snum[.]or[.]kr/skin_img/skin[.]php, hxxp://www.ddjm[.]co[.]kr/bbs/icon/skin/skin[.]php
  • [String] Decryption Key – !zGYX*ei$%HrW9#a
  • [String] Hardcoded Password – taifehjRTYB$%^45
  • [Mutex] Mutex Name – Microsoft32
  • [Filename] Malicious File – AlgStore.exe, Image003.zip

Read more: https://www.cyfirma.com/outofband/nukesped-rat-report/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint