Researchers Analyze North Korea-Linked NukeSped RAT

Fortinet security researchers took a deep dive into NukeSped malware samples that share multiple similarities with other malware families used by North Korean threat actors.

The remote access Trojan (RAT) is associated with the state-sponsored Lazarus Group, which is tracked by the U.S. government as Hidden Cobra. Last year, security researchers linked several North Korean hacking groups to Lazarus via code reuse and the newly analyzed samples reinforce that connection.

The analyzed malware samples, Fortinet reveals, share multiple characteristics, starting with the fact that they were compiled for 32-bit systems. They also feature encrypted strings to hinder analysis, and have compilation timestamps spanning from May 4, 2017 to February 13, 2018.

Most of the samples have the language ID for Korean and, in some cases, they even show the reuse of some functions, Fortinet’s security researchers have discovered.

The malware resolves functions dynamically, meaning that, at first, it appeared to invoke only few APIs. Furthermore, the import table was found to be short and to import a small number of common DLLs and functions.

NukeSped, the researchers also discovered, would also encrypt API names in an attempt to hinder static analysis. They also noticed that the order of the functions being loaded is very similar to other samples.

For persistence, the RAT inserts itself into a Run registry key, though in some cases it installs itself as a service.

The main functionality of the malware is to provide attackers with remote administration of the infected host.

Its list of features includes the ability to iterate files in a folder, create a process as another user, iterate processes and modules, terminate or create a process, write or read a file, move a file, get information about installed disks (including the disk type and the amount of free space on the disk), get the current directory, and change to a different directory.

The malware can also connect to a remote host, retrieve and launch additional payloads from the Internet, and remove itself and artifacts associated with it from the infected system.

Based on the analysis of the pattern of the encrypted strings and how the string is used for API loading, as well as the fact that the feature set and the structure of the main function (RAT) are reminiscent of FALLCHILL, Fortinet’s researchers believe the malware is linked to North Korea.

This conclusion, they say, is also based on the use of a specific cryptography blob in most samples of NukeSped, and on the fact that there are some file name references shared with HOPLIGHT. On top of that, 7 out of 10 NukeSped samples are in Korean.

“Given all the evidence so far, we can conclude that the NukeSped RATs have some relation to North Korea threat actors (HIDDEN COBRA),” Fortinet notes.

Related: U.S. Cyber Command Adds North Korean Malware Samples to VirusTotal

Related: U.S. Government Shares Details of FALLCHILL Malware Used by North Korea

Related: U.S. Attributes New Trojan to North Korean Hackers