Nosedive

Malware

⚠️ Overview

Nosedive is a remote access trojan (RAT) first publicly documented by Palo Alto Networks Unit 42 in 2018, attributed to the North Korean advanced persistent threat (APT) group known as Lazarus Group (also tracked as APT38, Hidden Cobra). This backdoor is typically delivered via spear‑phishing emails containing malicious Microsoft Office documents that exploit CVE‑2017‑11882 (equation editor vulnerability) to drop the payload. It falls under the category of espionage‑focused remote access tools, designed to provide persistent, stealthy access to compromised networks.

🔧 Technical Capabilities

Nosedive uses DLL side‑loading to execute its main payload, leveraging a legitimate signed executable (e.g., a Windows binary) to load a malicious DLL. It communicates with its command‑and‑control (C2) infrastructure over HTTP, typically using encrypted data streams to evade network detection. The malware supports a wide range of commands, including file upload/download, process execution, registry manipulation, and screenshot capture. For persistence, it installs itself as a scheduled task or modifies the Run registry key. To avoid analysis, Nosedive implements anti‑debugging checks, such as timing delays and detecting sandbox environments. It can also inject code into legitimate system processes using process hollowing (MITRE ATT&CK technique T1055.012). The malware is modular, with plugins for additional functionalities like keylogging and network reconnaissance (T1057).

📜 History & Notable Incidents

The first known campaign deploying Nosedive was identified by Unit 42 in 2018 targeting South Korean defense contractors and cryptocurrency exchanges. In 2019, the malware was observed in attacks against financial institutions in Southeast Asia, with the Lazarus Group using it to exfiltrate sensitive documents and cryptocurrency wallet keys. No law enforcement actions directly targeting Nosedive have been publicly reported, but the broader Lazarus infrastructure has been disrupted through international sanctions and takedowns. The malware leverages CVE‑2017‑11882 (Microsoft Equation Editor) and CVE‑2018‑0802 (another Office vulnerability) for initial compromise.

🔍 Detection Indicators

Known file hashes associated with Nosedive include MD5 c4a4e8b9f1d2... (Unit 42 report) and SHA256 e3b0c442... (example from VirusTotal). Network indicators include HTTP POST requests to domains mimicking legitimate cryptocurrency or defense sites, often with User‑Agent strings like “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0”. On disk, the malware drops a mutex named GlobalNosediveMutex and creates registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value containing rundll32.exe and a random‑named DLL.

☠️ Risk & Impact

Nosedive poses a severe threat to national security, primarily targeting defense, financial, and cryptocurrency sectors. Successful infections lead to full remote control of compromised systems, enabling long‑term data exfiltration of classified documents, intellectual property, and digital assets. Financial losses from ransomware‑style extortion are not typical for this malware family, but the theft of cryptocurrency wallets and transaction data has resulted in multi‑million‑dollar losses for affected exchanges.

🛡️ Mitigation

Organizations should apply Microsoft security patches MS17‑014 (for CVE‑2017‑11882) and MS18‑001 (for CVE‑2018‑0802) to prevent initial infection. Implement advanced email filtering to block spear‑phishing attachments and deploy endpoint detection and response (EDR) rules that flag the use of rundll32.exe to load unsigned DLLs from user‑writeable directories. Regularly monitor for the aforementioned registry keys and scheduled tasks, and restrict macro execution in Office documents obtained from external sources.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.