Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped)

In December last year, the vulnerability (CVE-2021-44228) of Java-based logging utility Log4j became a worldwide issue. It is a remote code execution vulnerability that can include the remote Java object address in the log message and send it to the server using Log4j to run the Java object in the server.

The ASEC analysis team is monitoring the Lazarus group’s attacks on targets in Korea. In April, the team discovered an attack group suspected of being Lazarus distributing NukeSped by exploiting the vulnerability. The attacker used the log4j vulnerability on VMware Horizon products that were not applied with the security patch. The products are virtual desktop solutions, used mainly by companies for remote working solutions and cloud infrastructure operations. With the recent spread of Covid-19, it is likely that many companies are using the products for remote working.


NukeSped

The following is AhnLab’s ASD (AhnLab Smart Defense) log for NukeSped being installed by the powershell command executed on VMware Horizon’s process ‘ws_tomcatservice.exe’.

Figure 1. ASD log for NukeSped installation


Analysis of NukeSped

NukeSped is a backdoor malware that can receive attacker commands from the C&C server and perform the received commands. The malware type mentioned in this post is one of the variants of NukeSped, that have been used by the Lazarus group since 2020. The variant was discussed in detail in the ASEC blog post shown below. This post will briefly introduce the NukeSped type used in the attack and compare it with the previous version.

The variant is developed with C++. As it uses virtual functions, class names are included in the binary (see Figure 2).

Figure 2. Class names of NukeSped

It normally uses DES algorithm to decrypt internal strings including API names and the list of C&C servers. To communicate with the C&C server, it uses the RC4 algorithm. But there are some changes as well: the previous blog post had types that used the Xor encryption (CryptorXor class) instead of the RC4 algorithm to communicate with the C&C server. But for this attack, there was a type using the RC4 algorithm for internal strings, a list of C&C servers, and C&C server communication. Each process uses a different value for the RC4 key.

  • RC4 Key 1 (decrypting strings): 7B CA D5 7E 1B AE 26 D8 60 1B 61 DA 83 80 11 72 01 6C 54 D8 8A E8 DE 7B 1A 0A
  • RC4 Key 2 (C&C communications): CD 80 5D D6 6C 1C 63 78 AF 13 7F 67 5B E9 B1 F4 87 27 EE 91 F3 5F 17 EE 9B 6A 28 61 8C F4
Figure 3. RC4 key used for decrypting strings

After the process for decrypting strings and API Resolving is complete, the malware starts communicating with the C&C server. NukeSped goes through an additional verification process after accessing the C&C server by sending a string disguised as SSL communication. When the malware receives certain strings, it will recognize the server as a normal C&C server and proceeds with the routine. As shown in the previous analysis report, there are two types of strings used for the process.

C&C RequestsC&C Responses
Type 1HTTP 1.1 /index.php?member=sbi2009 SSL3.3.7HTTP 1.1 200 OK SSL2.1
Type 2HTTP 1.1 /member.php SSL3.4HTTP 1.1 200 OK SSL2.1
Table 1. C&C request and response values for each type

The malware then finds the MAC address of the user environment and sends it to the C&C server after encrypting it with the RC4 algorithm. It will also encrypt packets with the algorithm in the subsequent communications.

Figure 4. Communication process with the C&C server

NukeSped can perform keylogging, taking screenshots, and file and shell tasks depending on the command it receives. The features exist in the classes shown below. Note that ModuleUsbDump and ModuleWebCamera are new features discovered in this attack.

  • ModuleUpdate
  • ModuleShell
  • ModuleFileManager
  • ModuleKeyLogger
  • ModuleSocksTunnel
  • ModuleScreenCapture
  • ModuleInformation
  • ModulePortForwarder
  • ModuleUsbDump
  • ModuleWebCamera


Attacks using NukeSped

Installing INFOSTEALER

The attacker used NukeSped to additionally install infostealer. The 2 malware types discovered are both console types, not saving the leak result in separate files. As such, it is assumed that the attacker remotely controlled the GUI screen of the user PC or leaked data in the pipeline form. One of the 2 malwares is the same file used in the previous attack.

Figure 5. List of collected information

The list of softwares and data for info-leakage is as follows:

  • Collected Data: accounts and passwords saved in browsers, browser history
    Targeted Software: Google Chrome, Mozilla Firefox, Internet Explorer, Opera, and Naver Whale
  • Collected Data: email account information
    Targeted Software: Outlook Express, MS Office Outlook, and Windows Live Mail
  • Collected Data: Names of recently used files
    Targeted Software: MS Office (PowerPoint, Excel, and Word) and Hancom 2010

NukeSped Use Commands

The attacker collected additional information by using backdoor malware NukeSped to send command line commands. The following commands show the basic network and domain information of the environment that has the infected system. The collected information can be used later in lateral movement attacks. If the attack succeeds, the attacker can dominate the systems within the domain.

  • cmd.exe /c “ping 11.11.11.1”
  • cmd.exe /c “ipconfig /all”
  • cmd.exe /c “query user”
  • cmd.exe “net group “domain admins” /domain”
  • net user _smuser white1234!@#$
  • cmd.exe “net localgroup administrators /add smi140199”


Jin Miner

Analyzing the ASD log for the infected system shows that before the Lazarus group installed NukeSped, other attackers had already exploited the vulnerability to install Jin Miner. Jin Miner is known as a malware strain distributed through the Log4Shell vulnerability, as shown in the previous Sophos report.

Figure 6. ASD log for installing Jin Miner

Installed in the path shown above through the powershell command, Jin Miner is a CoinMiner that ultimately mines the Monero coin.

Figure 7. Jin Miner install script add.bat file

Figure 8. Settings routine of Jin Miner

[IOC]
NukeSped (MD5, alias, and engine version)
– 87a6bda486554ab16c82bdfb12452e8b (Backdoor/Win.NukeSped.R487407) (2022.04.23.02)
– 830bc975a04ab0f62bfedf27f7aca673 (Trojan/Win.Andardoor.C5094639) (2022.04.21.01)
– 131fc4375971af391b459de33f81c253 (Backdoor/Win.NukeSped.R486619) (2022.04.21.00)
– 827103a6b6185191fd5618b7e82da292 (Backdoor/Win.NukeSped.R486595) (2022.04.20.03)
– 1875f6a68f70bee316c8a6eda9ebf8de (Backdoor/Win.NukeSped.R486595) (2022.04.20.03)

InfoStealer (MD5, alias, and engine version)
– 85995257ac07ae5a6b4a86758a2283d7 (Infostealer/Win.Pwstealer.C4510631) (2021.06.04.03)
– 47791bf9e017e3001ddc68a7351ca2d6 (Backdoor/Win.NukeSped.C4631988) (2021.09.15.01)

NukeSped Download URL
– hxxp://185.29.8[.]18/htroy.exe

NukeSped C&C URL
– 185.29.8[.]18:8888
– 84.38.133[.]145:443
– 84.38.133[.]16:8443
– mail.usengineergroup[.]com:8443

NukeSped Filename
– svc.exe
– srvCredit.exe
– runhostw.exe
– javarw.exe


Jin Miner (MD5, alias, and engine version)
– 7a19c59c4373cadb4556f7e30ddd91ac (CoinMiner/BAT.Generic) (2022.05.11.03)
– c2412d00eb3b4bccae0d98e9be4d92bb (CoinMiner/BAT.Generic) (2022.05.11.03)
– 8c8a38f5af62986a45f2ab4f44a0b983 (Win-Trojan/Miner3.Exp) (2020.01.29.00)
– 7ef97450e84211f9f35d45e1e6ae1481 (Win-Trojan/Miner3.Exp) (2020.01.29.00)
– dd4b8a2dc73a29bc7a598148eb8606bb (Unwanted/Win32.NSSM.R353938) (2020.10.27.00)

Jin Miner Download URL
– hxxp://iosk[.]org/pms/add.bat
– hxxp://iosk[.]org/pms/mad.bat
– hxxp://iosk[.]org/pms/jin.zip
– hxxp://iosk[.]org/pms/jin-6.zip

5 1 vote
Article Rating
guest

93 Comments
Inline Feedbacks
View all comments
trackback

[…] accordance with a report printed by analysts at Ahnlab’s ASEC, Lazarus has been concentrating on susceptible VMware merchandise through Log4Shell since April […]

trackback

[…] response to a report revealed by analysts at Ahnlab’s ASEC, Lazarus has been focusing on susceptible VMware merchandise through Log4Shell since April […]

trackback

[…] to a report published by analysts at Ahnlab’s ASEC, Lazarus has been targeting vulnerable VMware products via Log4Shell since April […]

trackback

[…] to a report published by analysts at Ahnlab’s ASEC, Lazarus has been targeting vulnerable VMware products via Log4Shell since April […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] weren’t utilized with the safety patch,” AhnLab Safety Emergency Response Heart (ASEC) said in a brand new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] met de beveiligingspatch waren toegepast”, AhnLab Security Emergency Response Center (ASEC) zei in een nieuw […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new report.The intrusions are said to have been first discovered in April, although multiple […]

trackback

[…] weren’t utilized with the safety patch,” AhnLab Safety Emergency Response Heart (ASEC) mentioned in a brand new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] mit dem Sicherheitspatch angewendet wurden“, AhnLab Security Emergency Response Center (ASEC) genannt in einem neuen […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] weren’t utilized with the safety patch,” AhnLab Safety Emergency Response Middle (ASEC) stated in a brand new […]

trackback

[…] Tomcat servers, BleepingComputer reports. Researchers at ASEC observed the attacks last month, saying the attackers are deploying either the NukeSped backdoor or the Jin Miner cryptominer on the […]

trackback

[…] tidak diterapkan dengan patch keamanan,” AhnLab Security Emergency Response Center (ASEC) dikatakan dalam laporan […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] weren’t utilized with the safety patch,” AhnLab Safety Emergency Response Middle (ASEC) mentioned in a brand new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] que no se aplicaron con el parche de seguridad», AhnLab Security Emergency Response Center (ASEC) dicho en un nuevo […]

trackback

[…] appliqués avec le correctif de sécurité », AhnLab Security Emergency Response Center (ASEC) mentionné dans un nouveau […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] that weren’t utilized with the safety patch,” AhnLab Safety Emergency Response Middle (ASEC) stated in a brand new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] yang tidak diterapkan dengan patch keamanan,” AhnLab Safety Emergency Response Middle (ASEC) dikatakan dalam laporan […]

trackback

[…] weren’t utilized with the safety patch,” AhnLab Safety Emergency Response Heart (ASEC) said in a brand new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] has been claimed by the Cyber Security analysts at Ahnlab’s ASEC that since April 2022 the threat actors […]

trackback

[…] has been claimed by the Cyber Security analysts at Ahnlab’s ASEC that since April 2022 the threat actors behind […]

trackback

[…] has been claimed by the Cyber Security analysts at Ahnlab’s ASEC that since April 2022 the threat actors behind […]

trackback

[…] were not applied to the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] ekiyle uygulanmayan VMware Horizon ürünlerinde Log4j güvenlik açığını kullandı” dedim yeni bir […]

trackback

[…] Lazarus group exploiting Log4Shell vulnerability (NukeSped) […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) mentioned in a brand new […]

trackback

[…] were not applied with the security patch,” AhnLab Security Emergency Response Center (ASEC) said in a new […]