A joint technical alert has been released by the Department of Homeland Security (DHS) and the FBI that warns about the two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.
The hacking group is believed to be backed by the North Korean government and are known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world.
Hidden Cobra, also known as Lazarus Group and Guardians of Peace, was associated with the WannaCry ransomware menace which resulted in the closing of several hospitals and businesses worldwide last year. It is also believed to be linked to the 2014 Sony Pictures hack and the SWIFT Banking attack in 2016.
Now, the DHS and the FBI have exposed two new malware which the Hidden Cobra has been using since 2009 to target the media, aerospace, financial, and critical infrastructure sectors worldwide.
The malware they have been using are Remote Access Trojan (RAT) known as Joanap and Server Message Block (SMB) worm called Brambul.
Joanap – Remote Access Trojan
As per the US-CERT alert, “fully functional RAT” Joanap is a two-stage malware that establishes peer-to-peer communications and manages botnets designed to enable other malicious operations. The malware infects a system as a file delivered by other malware, which the users download inadvertently either when they visit websites compromised by the Hidden Cobra members or when they open malicious email attachments.
Joanap receives commands from a remote command and control server controlled by the Hidden Cobra actors. It could then steal data, install and run more malware, and initialize proxy communications on a compromised Windows device.
Joanap also does functions like file management, process management, creation and deletion of directories, botnet management, and node management. This malware was found on 87 compromised network nodes in 17 countries including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.
Brambul – SMB Worm
Brambul is a brute-force authentication worm similar to a devastating WannaCry ransomware, misuses the Server Message Block (SMB) protocol for spreading to other systems.
The Windows 32-bit SMB worm serves as a service dynamic link library file or a portable executable file passed and installed onto victims’ networks by dropper malware.
The alert says that “When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.”
On attaining unauthorized access to the affected system, the malware conveys information about victim’s systems to the Hidden Cobra hackers using email. This information includes the IP address and hostname including the username and password of each victim’s system.
This stolen information can be used to remotely access the compromised system via the SMB protocol. The hackers can generate and execute a suicide script.
DHS and FBI have given the list of all the IP addresses with which the Hidden Cobra malware communicates and other IOCs, so that you can block them and ensure that your system is not exposed to any malicious cyber activity by the North Korean government.
DHS also recommended users and administrators to use best preventive actions to protect their computer networks, by taking measures such as to keep the software and system up to date, install and run Antivirus software, turning off SMB, block unknown executables and software applications.
Some of the other malware which are linked to Hidden Cobra previously include Delta Charlie—a DDoS tool, Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.