Analysis Report of Lazarus Group’s NukeSped Malware

AhnLab Security Emergency response Center (ASEC) reveals an analysis report of Lazarus group’s attacks found from around 2020 until recently. The malware discussed here is known as NukeSped, a backdoor type that can perform various malicious behaviors by receiving commands from the attacker. This report will show the analysis of the overall flow of attacks using NukeSped. It looks into the malware’s features starting from the confirmed distribution methods and then goes into details of each attack stage such as commands received by the attacker and additional types of malware it installs.

____

Analysis Report of Lazarus Group’s NukeSped Malware

____

Contents
Overview
1. Initial Compromise Method
…. 1.1. Distribution Cases – Email Attachments
…. 1.2. Distribution Cases – Watering Hole Attacks
2. Downloader
…. 2.1. Downloader #1
…. 2.2. Downloader #2
…. 2.3. Packer
3. Analysis of NukeSped
…. 3.1. Characteristics
…. 3.2. C&C Communications
…. 3.3. Analysis of Features
…….. a. ModuleUpdate
…….. b. ModuleShell
…….. c. ModuleFileManager
…….. d. ModuleKeyLogger
…….. e. ModuleSocksTunnel
…….. f. ModuleScreenCapture
…….. g. ModuleInformation
…….. h. ModulePortForwarder
4. Post Infection
…. 4.1. NukeSped Commands
…….. a. Install Process
…….. b. Collecting Information
…….. c. Registering to Task Scheduler
…. 4.2. Creating Additional Malware
…….. 4.2.1. Stealing Web Browser and Outlook Account Information
…….. 4.2.2. Stealing Clipboard and Windows Text Information
…….. 4.2.3. Modifying File MAC Time
…….. 4.2.4. Launcher
…….. 4.2.5. Port Scanner
…….. 4.2.6. DarkComet RAT
AhnLab Response Status
Conclusion
IoC (Indicators of Compromise)
…. File Path and Name
…. File Hashes (MD5)
…. Related Domain, URL, and IP Address
References

※ The report you can download is only provided in the Korean PDF file version.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.