{"id":16789,"date":"2019-11-05T18:41:09","date_gmt":"2019-11-06T02:41:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/05\/news-10528\/"},"modified":"2019-11-05T18:41:09","modified_gmt":"2019-11-06T02:41:09","slug":"news-10528","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/05\/news-10528\/","title":{"rendered":"A Deep-Dive Analysis of the NukeSped RATs"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><i>A FortiGuard Labs Threat Analysis<\/i><\/b><\/p>\n<h2>Introduction<\/h2>\n<p>Advanced Persistent Threat (APT) groups pose a great threat to global security, especially groups associated with nation states. Of all APT groups, those groups from North Korea have really stood out due to the great damage they have done as well as for their persistence. The U.S. Government, in particular, refers to the malicious threat actor connected to the North Korean government as HIDDEN COBRA.<\/p>\n<p><a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html\">FortiGuard Labs<\/a> has been actively monitoring various APT groups such as HIDDEN COBRA. For example, in a <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/a-deep-dive-analysis-of-the-fallchill-remote-administration-tool.html\">previous post<\/a> we gave an overview of the FALLCHILL Remote Administration Tools (RATs). Recently, we noticed some new interesting samples from this group, so we decided to take a further look.<\/p>\n<h2>A Bird&#8217;s Eye View of the RAT Samples<\/h2>\n<p>The RAT samples we analyzed are summarized below:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1429037574.img.png\/1571771548916\/ns-rat-one.png\" alt=\"Figure 1 RAT samples \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: RAT samples <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>At a high level, they share similar characteristics:<\/p>\n<ul>\n<li>Most are 32 bits<\/li>\n<li>Strings are encrypted to hinder analysis<\/li>\n<li>Compilation timestamp are from May 04 10:40:47 2017 to Feb 13 04:06:28 2018<\/li>\n<\/ul>\n<p>As we <b>shall<\/b> see, they actually share more similarities than differences. In some cases, they even reuse functions.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_904798259.img.png\/1571771541337\/ns-rat-two.png\" alt=\"Figure 2 Code Reuse \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Code Reuse <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Let\u2019s inspect the resource sections in more detail, as they often give clues to the origin of the malware.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1329976043.img.png\/1571771579271\/ns-rat-three.png\" alt=\"Figure 3: Language ID\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Language ID<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As can be seen, each resource has a language ID associated with it. Curiously, most samples have the language ID of 1042.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1588253641.img.png\/1571771617536\/ns-rat-four.png\" alt=\"Figure 4: Most Samples Have the Language ID Of 1042.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: Most Samples Have the Language ID Of 1042.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As per this <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/intl\/language-identifier-constants-and-strings\">authoritative source<\/a>, 1042 (0x0412) is the language Identifier for Korean.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_2142210085.img.png\/1571771654717\/ns-rat-five.png\" alt=\"Figure 5: LANG_KOREAN\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: LANG_KOREAN<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Functionality of the Malware<\/h2>\n<p>Our analysis started by trying to get a feel for what this malware could possibly do on victim\u2019s system. In general, the best way to do that is by inspecting the functionality (e.g. from an API) that it wants to invoke from the target system. So, let get right to it.<\/p>\n<p>At first sight, these malware do not seem to invoke many APIs. The import table is short and does not import many common DLLs and functions. Our gut feeling suggested that it will likely resolve functions dynamically. And sure enough, we quickly found instances of <b>GetProcAddress<\/b>. It even encrypted its API names too. In our experience, this is a common technique designed to hinder static analysis, but it does not stop dynamic analysis. So, we traced the malware and figured out the encrypted APIs.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1169946953.img.png\/1571774166099\/ns-rat-six.png\" alt=\"Figure 6: Decrypted APIs\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: Decrypted APIs<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As can be seen, after patching in IDA everything starts to make sense.<\/p>\n<p>The following shows one special case where function names are not encrypted at all, and hence static analysis is enough.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1767948642.img.png\/1571774209040\/ns-rat-seven.png\" alt=\"Figure 7: Function Table\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: Function Table<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The hash of this special sample is b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9. As astute readers may have noticed, the order of the functions being loaded in this sample is very similar to other samples.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1219978667.img.png\/1571774261276\/ns-rat-eight.png\" alt=\"Figure 8: Main DLLs\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: Main DLLs<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After patching up the function names in IDA, we can clearly see that the malware makes use of core functionalities like registry (<b>Advapi32.dll<\/b>), networking (<b>ws2_32.dll<\/b>), and so on.<\/p>\n<p>To persist, the malware inserts itself into a Run key:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1656529912.img.png\/1571774291682\/ns-rat-nine.png\" alt=\"Figure 9: Persistence\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: Persistence<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In some other cases, the malware installs itself as a service.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_929746790.img.png\/1571774322996\/ns-rat-ten.png\" alt=\"Figure 10: Service\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: Service<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As we can see, here is where the original name of the DLL is hidden.<\/p>\n<h2>Ghosts in the $hell<\/h2>\n<p>Let\u2019s get to the main functionality of NukeSped: Remote Administration Tool.<\/p>\n<p>After more reverse-engineering, we figured out the algorithm used to decode the strings.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1628254829.img.png\/1571774362256\/ns-rat-eleven.png\" alt=\"Figure 11: Decoding Routine\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11: Decoding Routine<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In a nutshell, the malware uses custom encryption based on <b>xor.<\/b> In turn, we used decodeCmd<b> <\/b>on this core function to decrypt commands from the remote attackers.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1045853855.img.png\/1571774391879\/ns-rat-twelve.png\" alt=\"Figure 12: Decode Commands \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12: Decode Commands <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1803725594.img.png\/1571776654958\/ns-rat-thirteen.png\" alt=\"Figure 13: Logic of the Shell\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13: Logic of the Shell<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Like a typical RAT, it listens for incoming commands, executes those commands, and then responds. The full control flow graph (CFG) looks like the following:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1577496441.img.png\/1571776692965\/ns-rat-fourteen.png\" alt=\"Figure 14: Control Flow Graph (CFG) \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14: Control Flow Graph (CFG) <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As can be seen in Figure 14, the control flow of a typical shell is clear. At the beginning is the common logic of parsing of the command and its parameters. And then there is a distinctly huge switch-case to handle each command.<\/p>\n<p>We have reverse-engineered the logic of the RAT and found many classical RAT features:<\/p>\n<ul>\n<li>Iterate files in a folder<\/li>\n<li>Create a process as another user<\/li>\n<li>Iterate processes and modules<\/li>\n<li>Terminate a process<\/li>\n<li>Create a process<\/li>\n<li>Write a file<\/li>\n<li>Read a file<\/li>\n<li>Connect to a remote host<\/li>\n<li>Move a file<\/li>\n<li>Retrieve and launch additional payloads from the internet<\/li>\n<li>Get information about installed disks, including the disk type and the amount of free space on the disk<\/li>\n<li>Get the current directory<\/li>\n<li>Change to a different directory<\/li>\n<li>Remove itself and artifacts associated with it from the infected system<\/li>\n<\/ul>\n<h2>Attribution<\/h2>\n<p>Attribution is almost always an imprecise art, but let\u2019s consider the <b>key<\/b> evidence:<\/p>\n<ul>\n<li>The pattern of the encrypted strings, and the way string is used for API loading (Figure 8, etc.)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/li>\n<li>The feature set and the structure of the main function (RAT) are reminiscent of <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/a-deep-dive-analysis-of-the-fallchill-remote-administration-tool.html\">FALLCHILL<\/a> (below)\u00a0<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1445119815.img.png\/1571777120031\/ns-rat-fifteen.png\" alt=\"Figure 15: Logic of the Shell in FALLCHILL \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15: Logic of the Shell in FALLCHILL <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>Most samples of NukeSped have the following cryptography blob (Figure 16). Interestingly, they also have a cryptography blob similar to this:\u00a0 \u00a0\u00a0<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image.img.png\/1571777170165\/ns-rat-sixteen.png\" alt=\"Figure 16: Cryptography Blob\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16: Cryptography Blob<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>Interestingly, there are also file name references shared with <a href=\"https:\/\/www.us-cert.gov\/ncas\/analysis-reports\/AR19-100A\">HOPLIGHT<\/a><\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_2043839146.img.png\/1571777214760\/ns-rat-seventeen.png\" alt=\"Figure 17: Dumped File\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17: Dumped File<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1523068590.img.png\/1571777280957\/ns-rat-eighteen.png\" alt=\"Figure 18\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 18<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>Most samples (7 out of 10) of NukeSped are in Korean (e.g. Figure 4).<\/li>\n<\/ul>\n<p>Given all the evidences so far, we can conclude that the NukeSped RATs have some relation to North Korea threat actors (HIDDEN COBRA) .<\/p>\n<h2>Solution<\/h2>\n<p>Internal testing by FortiGuard Labs shows that all networks and devices being protected by Fortinet solutions running the latest subscription service updates were automatically protected from this malware.<\/p>\n<p>In particular, FortiGuard Antivirus service detects samples as the following:<\/p>\n<p style=\"margin-left: 40.0px;\">1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676 <a href=\"https:\/\/www.virustotal.com\/gui\/search\/fortinet%253A%2522W64%252FHidCobra.A!tr%2522\">W64\/HidCobra.A!tr<\/a><br \/> 8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520 <a href=\"https:\/\/www.virustotal.com\/gui\/search\/fortinet%253A%2522W32%252FNukeSped.AU!tr%2522\">W32\/NukeSped.AU!tr<\/a><br \/> 32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11 <a href=\"https:\/\/www.virustotal.com\/gui\/search\/fortinet%253A%2522W32%252FTrojan.FPIA!tr%2522\">W32\/Trojan.FPIA!tr<\/a><br \/> 73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33 <a href=\"https:\/\/www.virustotal.com\/gui\/search\/fortinet%253A%2522W32%252FNukeSped.AU!tr%2522\">W32\/NukeSped.AU!tr<\/a><br \/> 084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319 <a href=\"https:\/\/www.virustotal.com\/gui\/search\/fortinet%253A%2522W32%252FHidCobra.9CFB!tr%2522\">W32\/HidCobra.9CFB!tr<\/a><br \/> 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 <a href=\"https:\/\/www.virustotal.com\/gui\/search\/fortinet%253A%2522W32%252FNukeSped.AU!tr%2522\">W32\/NukeSped.AU!tr<\/a><br \/> b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9 <a href=\"https:\/\/www.virustotal.com\/gui\/search\/fortinet%253A%2522W32%252FHidCobra.9CFB!tr%2522\">W32\/HidCobra.9CFB!tr<\/a><br \/> c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8 <a href=\"https:\/\/www.virustotal.com\/gui\/search\/fortinet%253A%2522W32%252FNukeSped.AU!tr%2522\">W32\/NukeSped.AU!tr<\/a><br \/> f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03 <a href=\"https:\/\/www.virustotal.com\/gui\/search\/fortinet%253A%2522W32%252FNukeSped.AU!tr%2522\">W32\/NukeSped.AU!tr<\/a><br \/> fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5 <a href=\"https:\/\/www.virustotal.com\/gui\/search\/fortinet%253A%2522W32%252FNukeSped.AU!tr%2522\">W32\/NukeSped.AU!tr<\/a><\/p>\n<h2>C2<\/h2>\n<p><b>Malicious<\/b> URLs related to this malware are blocked by FortiGuard Web Filtering Service &amp; the botnet IP engine:<\/p>\n<p style=\"margin-left: 40.0px;\">119[.]18[.]230[.]253<\/p>\n<p style=\"margin-left: 40.0px;\">218[.]255[.]24[.]226<\/p>\n<p><i>The author wants to thank Artem Semenchenko for additional insights during the attribution process.<\/i><\/p>\n<p>As usual, FortiGuard Labs will keep an eye out for advanced threats like this to help keep everybody protected.<\/p>\n<p>-= FortiGuard Lion Team =-<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/QqmLFUy4jXo\/deep-analysis-nukesped-rat.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/deep-analysis-nukesped-rat\/_jcr_content\/root\/responsivegrid\/image_1429037574.img.png\/1571771548916\/ns-rat-one.png\"\/><br \/>FortiGuard Labs has been actively monitoring various APT groups such as HIDDEN COBRA. Recently, we noticed some new interesting samples from this group, so we decided to take a further look. Learn more.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/QqmLFUy4jXo&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16789","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16789"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16789\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16789"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}