A Deep-Dive Analysis of the NukeSped RATs
Contents
FortiGuard Labs Threat Research
A FortiGuard Labs Threat Analysis
Advanced Persistent Threat (APT) groups pose a great threat to global security, especially groups associated with nation states. Of all APT groups, those groups from North Korea have really stood out due to the great damage they have done as well as for their persistence. The U.S. Government, in particular, refers to the malicious threat actor connected to the North Korean government as HIDDEN COBRA.
FortiGuard Labs has been actively monitoring various APT groups such as HIDDEN COBRA. For example, in a previous post we gave an overview of the FALLCHILL Remote Administration Tools (RATs). Recently, we noticed some new interesting samples from this group, so we decided to take a further look.
The RAT samples we analyzed are summarized below:
At a high level, they share similar characteristics:
As we shall see, they actually share more similarities than differences. In some cases, they even reuse functions.
Let’s …
A FortiGuard Labs Threat Analysis
Advanced Persistent Threat (APT) groups pose a great threat to global security, especially groups associated with nation states. Of all APT groups, those groups from North Korea have really stood out due to the great damage they have done as well as for their persistence. The U.S. Government, in particular, refers to the malicious threat actor connected to the North Korean government as HIDDEN COBRA.
FortiGuard Labs has been actively monitoring various APT groups such as HIDDEN COBRA. For example, in a previous post we gave an overview of the FALLCHILL Remote Administration Tools (RATs). Recently, we noticed some new interesting samples from this group, so we decided to take a further look.
The RAT samples we analyzed are summarized below:
At a high level, they share similar characteristics:
As we shall see, they actually share more similarities than differences. In some cases, they even reuse functions.
Let’s …
IoC
0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571
084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319
119.18.230.253
1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676
218.255.24.226
32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11
73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33
8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520
b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9
c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8
f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03
fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5
http://119.18.230.253
http://218.255.24.226
084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319
119.18.230.253
1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676
218.255.24.226
32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11
73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33
8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520
b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9
c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8
f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03
fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5
http://119.18.230.253
http://218.255.24.226