NukeSped Detection: Warning Over NukeSped Malware as It Hits South Korea

[post-views]
May 24, 2022 · 3 min read
NukeSped Detection

State-run threat actor Lazarus rides again, this time exploiting the notorious Log4Shell vulnerability in VMware Horizons servers. In this campaign, adversaries leverage Horizon, targeting the Republic of Korea with a NukeSped backdoor. First documented exploits date back to January 2022, with Lazarus hackers being spotted exploiting Log4Shell in VMware Horizons products since mid-Spring 2022. Almost half a year later, these exploits still remain a burning issue.

Detect NukeSped

Leverage a new Sigma rule by a keen Threat Bounty developer Sohan G, released in the Threat Detection Marketplace repository of SOC Prime’s platform. The rule enables detection of the possible malicious activity associated with NukeSped malware:

Possible Detection of Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped) (via file_event)

The detection is available for the 20 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059) as the main technique.

The world’s leading Detection as Code platform has aggregated 185K+ detection algorithms and threat hunting queries for multiple security platforms. Hit the View Detections button to browse through a rich library of detection content. Eager to develop your own Sigma rules, increase your threat hunting velocity, and contribute to the global threat hunting initiatives? Join our Threat Bounty Program!

View Detections Join Threat Bounty

NukeSped Malware Analysis

North Korea-sponsored threat actors from Lazarus Group remain active in 2022, continuously widening the scope of their attacks, mostly targeting countries in the Asia-Pacific (APAC) region. This time, adversaries exploit an infamous Log4Shell vulnerability that is affecting Apache Log4j Java logging library, which since December 2021 has been actively abused by multiple threat actors.

The analysis team from the Ahnlab ASEC reported that Lazarus hackers use Vmware Horizon’s Apache Tomcat service to run a PowerShell script exploiting the Log4j. The PowerShell command installs the backdoor on the compromised server, where it is used for cyber espionage, e.g., stealing sensitive data, keyboard capturing, taking screenshots, and fetching malicious payloads to be deployed onto the targeted system, such as console-based information-stealer malware.

The malware variant used in this campaign is C++-written, used by Lazarus since at least 2020. According to the researchers, in this campaign, adversaries sometimes opted for the deployment of Jin Miner, a cryptocurrency miner bot, to target Horizon hosts.

Ready to explore the SOC Prime’s platform and see the Detection as Code in action? Sign up for free. Or join the Threat Bounty Program to craft your own content and share it with the community.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts