Fortinet security researchers took a deep dive into NukeSped malware samples that share multiple similarities with other malware families used by North Korean threat actors.
The analyzed malware samples, Fortinet reveals, share multiple characteristics, starting with the fact that they were compiled for 32-bit systems. They also feature encrypted strings to hinder analysis, and have compilation timestamps spanning from May 4, 2017 to February 13, 2018.
Most of the samples have the language ID for Korean and, in some cases, they even show the reuse of some functions, Fortinet’s security researchers have discovered.
The malware resolves functions dynamically, meaning that, at first, it appeared to invoke only few APIs. Furthermore, the import table was found to be short and to import a small number of common DLLs and functions.
NukeSped, the researchers also
discovered, would also encrypt API names in an attempt to hinder static analysis. They also noticed that the order of the functions being loaded is very similar to other samples.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
