OSX/NukeSped

OSX/NukeSped is a backdoor Trojan targeting macOS or OS X environments. Its use has correlations with attacks by the North Korean threat actor of the Lazarus Group, which may use fake software tactics, e-mail phishing, and similar means of targeting victims through social engineering. A proper anti-malware product for your OS should remove OSX/NukeSped automatically before it can establish a backdoor for the attacker.

A Computer Nuke Speeding along Flash-Themed Wings

Software is becoming the weapon of warfare for the age of computers increasingly, as the umbrella group of hackers, Lazarus Group shows so well. This North Korea-based organization conducts campaigns centralizing around espionage primarily, especially, but not exclusively, versus South Korean government and business targets. While OSX/NukeSped is a very typical example of a backdoor Trojan from a state-sponsored threat actor, some aspects of its deployment have unpleasant surprises.

OSX/NukeSped is a backdoor Trojan that runs in macOS or OS X environments and offers features that are conventional for a monitoring-based backdoor Trojan. OSX/NukeSped can close memory processes automatically, update its Command & Control infrastructure, execute a range of system commands in a shell, and pass files back and forth between the C&C and infected computers. The attacks run through numeric 'command numbers,' and malware experts also note that OSX/NukeSped requires an initial server connection before establishing its backdoor functionality.

The details of OSX/NukeSped's apparent distribution are more creative and troubling than its nonetheless-threatening set of features slightly. The Lazarus Group, which encompasses such threat actors as APT37 and tools like the HOPLIGHT Trojan, uses OS-indiscriminate infection vectors, like corrupted macros embedded in spreadsheets frequently. OSX/NukeSped does things a little differently – it uses a Flash Player bundle that's specific to Mac environments. The tactic includes a legitimate version of Flash Player that runs alongside the hidden, fake one that installs OSX/NukeSped, which provides some cover during the most vulnerable phase of the attack.

Slowing the Flight Speed of a Trojan Armament

Some infrastructure related to OSX/NukeSped, Command & Control servers, particularly, suggests that these Flash tactics are coinciding with others using the more-typical exploits of embedded Excel spreadsheets. Contact with the latter can occur through e-mail attachments with content that's specific to the victim, such as an article containing insider industry references. The encounters with OSX/NukeSped's Flash Player bundle are less well-analyzed but could use e-mail, again, social messaging networks, or compromised domains that are popular with the desired Web traffic.

Keeping macros and other 'advanced content' turned off by default, as most modern-day word-processing applications do, will help avoid many download-oriented vulnerabilities. Malware experts also encourage updating software whenever a relevant security patch is available, implementing secure passwords, and limiting admin privileges only to necessary users. Many espionage-based attacks, including OSX/NukeSped's campaign, require initial mistakes and interaction from the victim.

Anti-malware tools for macOS environments also should detect and remove OSX/NukeSped when it's appropriate.

The pivot towards OSX/NukeSped's OS-specialized infection methodology means that the Lazarus Group is putting more effort than ever in hacking into systems. And, as usual, the results of taking those efforts too flippantly means that attackers could easily take over your computer, and from there, your network.