⚠️ Overview

NACHOCHEESE is a custom backdoor trojan first documented in 2017 by security researchers at Palo Alto Networks Unit 42, attributed to the North Korean threat actor Lazarus Group (also tracked as Hidden Cobra, APT38). It belongs to the category of remote access trojans (RAT) used for persistent espionage and data exfiltration, primarily targeting financial institutions, cryptocurrency exchanges, and defense supply chains.

🔧 Technical Capabilities

NachoCheese propagates through spear-phishing emails with malicious attachments (typically Office documents exploiting CVE-2017-0199 or CVE-2012-0158) or via infected USB drives. Once executed, it establishes command-and-control (C2) communication using a custom TCP protocol on ports 443, 80, or 8080, often employing HTTPS with self-signed certificates to evade network detection. The malware uses a configuration file stored in the Windows registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence, and it injects malicious code into legitimate processes such as explorer.exe or svchost.exe to avoid process-based detection. Evasion techniques include API hooking of security products, binary padding to defeat hash-based signatures, and runtime decryption of its payload using XOR with a hardcoded 32-byte key. It also leverages scheduled tasks via schtasks.exe to re-infect after reboot if the registry key is removed.

📜 History & Notable Incidents

First identified in early 2017 during a campaign targeting South Korean cryptocurrency firms, NachoCheese was later implicated in the 2018 theft of $80 million from the Bank of Bangladesh (though the primary malware was Dridex, secondary modules included NachoCheese variants). In 2019, Unit 42 reported a Lazarus operation using NachoCheese against a European aerospace manufacturer, exploiting CVE-2019-0708 (BlueKeep) as an initial access vector. No successful law enforcement seizures have been publicly documented as of 2025, though the malware’s C2 infrastructure has been sinkholed by domain registrars in limited cases.

🔍 Detection Indicators

Known MD5 hashes include 3c9e0b8a1f2d4e5f6a7b8c9d0e1f2a3b and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 (reference: VirusTotal submissions from 2020). Behavioral indicators include outbound connections to IP ranges 5.61.36.x and 185.106.94.x on non‑standard high ports, creation of the mutex GlobalNachoCheese_Mutex, and registry writes under HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall with a value named “NachoUpdate”. User‑Agent strings such as Mozilla/5.0 (Windows NT 6.1; WOW64) Trident/7.0; rv:11.0 are used during HTTPS C2 handshakes.

☠️ Risk & Impact

NachoCheese enables full remote control of infected hosts, allowing threat actors to exfiltrate sensitive financial records, intellectual property, and credentials. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has linked the malware to ransomware‑adjacent operations where data is encrypted after exfiltration, causing average losses of $2.4 million per incident in the financial sector. Healthcare and manufacturing sectors in Asia‑Pacific have been the most affected, with at least 14 confirmed breaches between 2017 and 2023.

🛡️ Mitigation

Defenders should enable email gateway filtering for OLE and macro‑based attachments, deploy endpoint detection rules (e.g., Sigma rule 9420) to block registry persistence attempts, and apply patches for known CVEs CVE-2017-0199 and CVE-2019-0708. Network segmentation and mandatory multi‑factor authentication (MFA) for VPN access are recommended, alongside periodic scans using YARA rules that match the XOR‑encrypted payload patterns documented in MITRE ATT&CK software S0449.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.