Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped)

Malware Analysis
1

In December last year, the vulnerability (CVE-2021-44228) of Java-based logging utility Log4j became a worldwide issue. It is a remote code execution vulnerability that can include the remote Java object address in the log message and send it to the server using Log4j to run the Java object in the server.

[Alert] Apache Log4j 2 Vulnerability, Update Recommended

The ASEC analysis team is monitoring the Lazarus group’s attacks on targets in Korea. In April, the team discovered an attack group suspected of being Lazarus distributing NukeSped by exploiting the vulnerability. The attacker used the log4j vulnerability on VMware Horizon products that were not applied with the security patch. The products are virtual desktop solutions, used mainly by companies for remote working solutions and cloud infrastructure operations. With the recent spread of Covid-19, it is likely that many companies are using the products for remote working.


NukeSped

The following is AhnLab’s ASD (AhnLab Smart Defense) log for NukeSped being installed by the powershell command executed on VMware Horizon’s process ‘ws_tomcatservice.exe’.

Figure 1. ASD log for NukeSped installation


Analysis of NukeSped

NukeSped is a backdoor malware that can receive attacker commands from the C&C server and perform the received commands. The malware type mentioned in this post is one of the variants of NukeSped, that have been used by the Lazarus group since 2020. The variant was discussed in detail in the ASEC blog post shown below. This post will briefly introduce the NukeSped type used in the attack and compare it with the previous version.

Analysis Report of Lazarus Group’s NukeSped Malware

The variant is developed with C++. As it uses virtual functions, class names are included in the binary (see Figure 2).

Figure 2. Class names of NukeSped

It normally uses DES algorithm to decrypt internal strings including API names and the list of C&C servers. To communicate with the C&C server, it uses the RC4 algorithm. But there are some changes as well: the previous blog post had types that used the Xor encryption (CryptorXor class) instead of the RC4 algorithm to communicate with the C&C server. But for this attack, there was a type using the RC4 algorithm for internal strings, a list of C&C servers, and C&C server communication. Each process uses a different value for the RC4 key.

  • RC4 Key 1 (decrypting strings): 7B CA D5 7E 1B AE 26 D8 60 1B 61 DA 83 80 11 72 01 6C 54 D8 8A E8 DE 7B 1A 0A
  • RC4 Key 2 (C&C communications): CD 80 5D D6 6C 1C 63 78 AF 13 7F 67 5B E9 B1 F4 87 27 EE 91 F3 5F 17 EE 9B 6A 28 61 8C F4
Figure 3. RC4 key used for decrypting strings

After the process for decrypting strings and API Resolving is complete, the malware starts communicating with the C&C server. NukeSped goes through an additional verification process after accessing the C&C server by sending a string disguised as SSL communication. When the malware receives certain strings, it will recognize the server as a normal C&C server and proceeds with the routine. As shown in the previous analysis report, there are two types of strings used for the process.

C&C RequestsC&C Responses
Type 1HTTP 1.1 /index.php?member=sbi2009 SSL3.3.7HTTP 1.1 200 OK SSL2.1
Type 2HTTP 1.1 /member.php SSL3.4HTTP 1.1 200 OK SSL2.1
Table 1. C&C request and response values for each type

The malware then finds the MAC address of the user environment and sends it to the C&C server after encrypting it with the RC4 algorithm. It will also encrypt packets with the algorithm in the subsequent communications.

Figure 4. Communication process with the C&C server

NukeSped can perform keylogging, taking screenshots, and file and shell tasks depending on the command it receives. The features exist in the classes shown below. Note that ModuleUsbDump and ModuleWebCamera are new features discovered in this attack.

  • ModuleUpdate
  • ModuleShell
  • ModuleFileManager
  • ModuleKeyLogger
  • ModuleSocksTunnel
  • ModuleScreenCapture
  • ModuleInformation
  • ModulePortForwarder
  • ModuleUsbDump
  • ModuleWebCamera


Attacks using NukeSped

Installing INFOSTEALER

The attacker used NukeSped to additionally install infostealer. The 2 malware types discovered are both console types, not saving the leak result in separate files. As such, it is assumed that the attacker remotely controlled the GUI screen of the user PC or leaked data in the pipeline form. One of the 2 malwares is the same file used in the previous attack.

Figure 5. List of collected information

The list of softwares and data for info-leakage is as follows:

  • Collected Data: accounts and passwords saved in browsers, browser history
    Targeted Software: Google Chrome, Mozilla Firefox, Internet Explorer, Opera, and Naver Whale
  • Collected Data: email account information
    Targeted Software: Outlook Express, MS Office Outlook, and Windows Live Mail
  • Collected Data: Names of recently used files
    Targeted Software: MS Office (PowerPoint, Excel, and Word) and Hancom 2010

NukeSped Use Commands

The attacker collected additional information by using backdoor malware NukeSped to send command line commands. The following commands show the basic network and domain information of the environment that has the infected system. The collected information can be used later in lateral movement attacks. If the attack succeeds, the attacker can dominate the systems within the domain.

  • cmd.exe /c “ping 11.11.11.1”
  • cmd.exe /c “ipconfig /all”
  • cmd.exe /c “query user”
  • cmd.exe “net group “domain admins” /domain”
  • net user _smuser white1234!@#$
  • cmd.exe “net localgroup administrators /add smi140199”


Jin Miner

Analyzing the ASD log for the infected system shows that before the Lazarus group installed NukeSped, other attackers had already exploited the vulnerability to install Jin Miner. Jin Miner is known as a malware strain distributed through the Log4Shell vulnerability, as shown in the previous Sophos report.

Figure 6. ASD log for installing Jin Miner

Installed in the path shown above through the powershell command, Jin Miner is a CoinMiner that ultimately mines the Monero coin.

Figure 7. Jin Miner install script add.bat file

Figure 8. Settings routine of Jin Miner

[IOC]
NukeSped (MD5, alias, and engine version)
– 87a6bda486554ab16c82bdfb12452e8b (Backdoor/Win.NukeSped.R487407) (2022.04.23.02)
– 830bc975a04ab0f62bfedf27f7aca673 (Trojan/Win.Andardoor.C5094639) (2022.04.21.01)
– 131fc4375971af391b459de33f81c253 (Backdoor/Win.NukeSped.R486619) (2022.04.21.00)
– 827103a6b6185191fd5618b7e82da292 (Backdoor/Win.NukeSped.R486595) (2022.04.20.03)
– 1875f6a68f70bee316c8a6eda9ebf8de (Backdoor/Win.NukeSped.R486595) (2022.04.20.03)

InfoStealer (MD5, alias, and engine version)
– 85995257ac07ae5a6b4a86758a2283d7 (Infostealer/Win.Pwstealer.C4510631) (2021.06.04.03)
– 47791bf9e017e3001ddc68a7351ca2d6 (Backdoor/Win.NukeSped.C4631988) (2021.09.15.01)

NukeSped Download URL
– hxxp://185.29.8[.]18/htroy.exe

NukeSped C&C URL
– 185.29.8[.]18:8888
– 84.38.133[.]145:443
– 84.38.133[.]16:8443
– mail.usengineergroup[.]com:8443

NukeSped Filename
– svc.exe
– srvCredit.exe
– runhostw.exe
– javarw.exe


Jin Miner (MD5, alias, and engine version)
– 7a19c59c4373cadb4556f7e30ddd91ac (CoinMiner/BAT.Generic) (2022.05.11.03)
– c2412d00eb3b4bccae0d98e9be4d92bb (CoinMiner/BAT.Generic) (2022.05.11.03)
– 8c8a38f5af62986a45f2ab4f44a0b983 (Win-Trojan/Miner3.Exp) (2020.01.29.00)
– 7ef97450e84211f9f35d45e1e6ae1481 (Win-Trojan/Miner3.Exp) (2020.01.29.00)
– dd4b8a2dc73a29bc7a598148eb8606bb (Unwanted/Win32.NSSM.R353938) (2020.10.27.00)

Jin Miner Download URL
– hxxp://iosk[.]org/pms/add.bat
– hxxp://iosk[.]org/pms/mad.bat
– hxxp://iosk[.]org/pms/jin.zip
– hxxp://iosk[.]org/pms/jin-6.zip

The post Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped) appeared first on ASEC BLOG.

Article Link: Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped) - ASEC BLOG