Threat behavior
The Trojan:Win32/NukeSped infection chain typically begins when a user runs a seemingly legitimate file delivered through social engineering campaigns. These files often appear as job offers, skill assessments, or software installers relevant to the victim's professional interests. One documented delivery method uses Microsoft Word documents with malicious macro scripts. When macros are enabled, the document uses Windows Management Instrumentation to start the execution chain, dropping a first stage loader such as AlgStore.exe. This loader contacts a remote server to retrieve additional components. Another approach uses large installers around 30 MB that leverage the InstallShield engine. These installers drop configuration files and log files in temporary directories before executing the main malicious MSI package.
The installer performs environment checks and only proceeds with component installation when it detects specific system conditions that suggest a genuine target rather than a sandbox. The loader components use encryption to protect the primary remote access payload. AlgStore.exe contains a resource section named "OTC" that stores the second stage binary in encrypted form. The loader uses a hardcoded decryption key "!zGYX*ei$%HrW9#a" to decode this payload and load it directly into process memory. This technique, known as reflective loading, allows the malware to run without creating a permanent file on the disk. Some variants take this further by using Living off the Land binaries to facilitate execution. The infection chain might involve wmiprvse.exe spawning mshta.exe, which then launches the first stage payload. This approach helps malicious activity blend with normal device operations.
Once active, the remote access tool may inject code into stable Windows processes like explorer.exe or svchost.exe to maintain a long-term presence. Network communication implements several layers of protection. Many variants use a technique that mimics Transport Layer Security traffic while employing custom internal encryption. The malware initiates sessions using legitimate SSL certificates copied from well-known internet services, which helps deceive deep packet inspection tools. Internally, the malware protects data with a rotating XOR and ADD cipher. For data transmission, the malware transforms each byte using an exclusive OR operation with 0x47 followed by the addition of 0x28. For received data, the process reverses with an exclusive OR operation after subtracting 0x28. Command and control servers operate from diverse infrastructure, including compromised legitimate sites. Observed controller addresses include:
- bug[.]restoroad[.]com (46[.]105[.]57[.]169)
- hurricanepub[.]com (50[.]192[.]28[.]29)
- turnscor[.]com (67[.]225[.]140[.]4)
- coralsunmarine[.]com (23[.]111[.]133[.]162)
- kazitradebd[.]com (104[.]21[.]80[.]1)
- certix-z3[.]com (62[.]75[.]183[.]68)
- 62[.]75[.]183[.]67
- 78[.]11[.]12[.]13
- 175[.]207[.]13[.]231
A distinctive feature of some variants is the ability to transform infected hosts into proxy servers. This allows threat actors to use compromised machines as relay points, routing traffic between their operations and additional targets. The malware binds to a specific port such as 8000 and listens for incoming connections. To ensure only authorized operators can use the proxy, the malware implements an authentication handshake requiring a specific ASCII string "1qazXSDC23we". Connections that do not provide the correct string terminate immediately. After successful authentication, operators can issue secondary commands like "ghfghjuyufgdgftr" to initiate proxying functions. This modular approach allows threat actors to move through victim networks with greater control and reduced risk of detection.
Persistence mechanisms ensure the malware survives Windows restarts. The malware installs services that run automatically at system startup, such as a service named UDPTrcSvc with display name "Network UDP Trace Management Service" configured to start automatically under the LocalSystem account. The service image path points to "%SystemRoot%\System32\svchost.exe -k mdnetuse". Registry modifications maintain execution through multiple paths. The malware adds entries to the Run keys including "MaliciousUpdater" pointing to files in the AppData Roaming folder and "VnrPack" pointing to malicious binary paths. Some variants modify security settings including the WDigest registry key (HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest) to facilitate credential theft. Dropped files appear in temporary directories with randomized names, including configuration files named with "_ISMSIDEL.ini" extensions and log files like "0x0409.ini".
The malware may drop modified InstallShield engine files including "ISSetup.dll" and core payloads named with patterns like "UnionCryptoTrader.msi". Some variants install kernel level components such as "usbdrv3.sys" in the temporary folder for elevated privileges. Additional artifacts include "net_ver.dat" containing lists of compromised IP addresses and staged payloads saved as "lconcaches.db" in the AppData Microsoft Windows folder.
Prevention
- Apply security updates promptly across all devices, with special attention to vulnerabilities in enterprise software including Log4j and web server components that provide initial access vectors for malware deployment.
- Restrict users to standard accounts without administrative privileges. Control the use of administrative credentials strictly to prevent malware from achieving long term persistence through service installation or boot process modification.
- Activate Attack Surface Reduction rules in Microsoft Defender to block techniques used in the infection chain, including the creation of child processes by Office applications and launches of obfuscated scripts.
- Deactivate unnecessary services on all systems to reduce potential targets for malware. File and Printer sharing should remain disabled on public facing workstations.
- Segment corporate networks to prevent lateral movement following an initial infection. Ensure compromised endpoints cannot easily reach sensitive data storage or critical research assets.
- Monitor and restrict outbound connections, particularly to IP addresses and domains documented in the indicators of compromise. Implement proxy servers that inspect outgoing traffic for the custom encryption patterns used by this malware family.
- Deploy intrusion prevention signatures designed to detect the authentication of handshake strings used in proxy modules, including the specific ASCII sequences documented in the technical analysis.
- Train employees, particularly those in roles with access to sensitive data, to recognize social engineering lures. Emphasize caution when receiving unsolicited job offers or skill assessment requests through professional networking platforms.
- Enforce strict policies regarding removable media use, as some variants include components designed to spread through USB storage devices.
- Encourage immediate reporting of unusual system behavior including sudden performance drops, unexpected firewall prompts, or unfamiliar service installations. Early reporting provides the best opportunity to contain infections before significant data loss occurs.
- Maintain regular backups of critical devices stored offline or in segmented networks to support recovery if eradication requires system restoration.
For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.
