Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped) – ASEC BLOG

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Lazarus Group exploited CVE-2021-44228 on unpatched VMware Horizon to install NukeSped. ‘The attacker used the log4j vulnerability on VMware Horizon products that were not applied with the security patch.’
• [T1105] Ingress Tool Transfer – NukeSped downloaded from a URL: ‘hxxp://185.29.8[.]18/htroy.exe’.
• [T1027] Obfuscated/Compressed Files and Information – The malware decrypts strings with DES and uses RC4 keys for decryption and C2 communications. ‘RC4 Key 1 (decrypting strings)… RC4 Key 2 (C&C communications)’.
• [T1071.001] Web Protocols – C2 traffic uses HTTP with explicit requests/responses: ‘HTTP 1.1 /index.php?member=sbi2009 SSL3.3.7’ and ‘HTTP 1.1 /member.php SSL3.4’.
• [T1113] Screen Capture – NukeSped includes screen capture capabilities via ModuleScreenCapture. ‘ModuleScreenCapture’ is listed among capabilities.
• [T1125] Video Capture – ModuleWebCamera indicates webcam capture as part of the attack. ‘ModuleWebCamera are new features discovered in this attack.’
• [T1056.001] Keylogging – NukeSped can perform keylogging via ModuleKeyLogger.
• [T1059.003] Windows Command Shell – Command execution through cmd.exe (e.g., ‘cmd.exe /c “ping 11.11.11.1″‘).
• [T1069.002] Domain Groups – Discovery of domain admins via ‘net group “domain admins” /domain’.
• [T1087.001] Local Account Discovery – Discovery via ‘net user _smuser white1234!@#$’.
• [T1555.003] Credentials in Web Browsers – Infostealer collects browser-stored accounts/passwords and history. ‘Collected Data: accounts and passwords saved in browsers, browser history.’
• [T1555.004] Credentials in Email Clients – Infostealer collects email account information (Outlook Express, MS Office Outlook, Windows Live Mail).
• [T1496] Resource Hijacking – Jin Miner (CoinMiner) mines Monero. ‘Jin Miner is a CoinMiner that ultimately mines the Monero coin.’