Samples of NukeSped malware were analyzed by Fortinet security researchers, who did a deep-dive and found that it shares multiple similarities with other malware families being extensively used by the threat actors in North Korea.
The U.S. Government, in particular, refers to this malicious threat actor connected to the North Korean government as “HIDDEN COBRA”. The Remote Access Trojan (RAT) is associated with the state-sponsored Lazarus Group; as a similar research conducted last year, yielded the same result as of the recent one in which various North Korean hacking groups were found associated with Lazarus via Code reuse.
Fortinet reveals that the malware samples, share multiple characteristics, including the fact that they were predominantly compiled for 32-bit systems, have feature encrypted strings that could hinder analysis and also have a compilation timestamps spanning from May 04, 2017 to February 13, 2018.
On top of all these, Fortinet’s security researchers discovered that most of the sample contains language ID for Korean, and even few instances showed the reuse of some functions.
Initially the malware appeared to invoke only few APIs that depicts it dynamic functionality. In addition, the import table was short and could import a small number of common DLLs and functions.
The researchers also discovered that NukeSped would encrypt API names resulting in an attempt to hinder static analysis and the order of the functions being loaded was identical to other samples.
As persistence being one of the desirable traits of any attack, here the RAT would itself insert into a Run Registry key, and in few cases it goes ahead and installs itself as a service.
The key functionality of the malware is to enable attackers with remote administration of the infected host to perform malicious activities.
Some of the features of the malware include its capability to duplicate files in a folder, create process as another user, reduplicate processes and modules, create or terminate a process, read or write a file, copy/move a file, get disk information (including the type of disk and the free space on it), to know the current directory, and to change from one directory to another.
Interestingly the malware is also able to connect to a remote host and from there it can recover and trigger additional workloads from the internet, and after all this it can finally remove itself and the associated artifacts from the infected system leaving behind no audit trails.
Fortinet’s researchers firmly believe that the malware is linked to North Korea basis the various factors including the analysis pattern of the encrypted strings, the way the string is used to load APIs, and the actuality of the structure and the feature set of the RAT (which is the main function) are a replication of FALLCHILL.
The usage of a specific cryptography blob found in most NukeSped samples, and a few file name references shared with HOPLIGHT also majorly contribute to this inference. Above all, 7 out of 10 NukeSped samples were found to be in Korean – this makes it clear!
“Given all the evidence so far, we can conclude that the NukeSped RATs have some relation to North Korea threat actors (HIDDEN COBRA),” Fortinet notes.