The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released reports on North Korea-linked HIDDEN COBRA malware.
The FBI, the US Cyber Command, and the Department of Homeland Security have published technical details of a new North-Korea linked hacking operation.
The government experts released new and updated Malware Analysis Reports (MARs) related to new malware families involved in new attacks carried out by North Korea-linked HIDDEN COBRA group.
The following MARs reports aim at helping organizations to detect HIDDEN COBRA activity:
- Malware Analysis Report (AR20-045A) – North Korean Trojan: BISTROMATH
- Malware Analysis Report (AR20–045B) – North Korean Trojan: SLICKSHOES
- Malware Analysis Report (AR20-045C) – North Korean Trojan: CROWDEDFLOUNDER
- Malware Analysis Report (AR20-045D) – North Korean Trojan: HOTCROISSANT
- Malware Analysis Report (AR20-045E) – North Korean Trojan: ARTFULPIE
- Malware Analysis Report (AR20-045F) – North Korean Trojan: BUFFETLINE
- Malware Analysis Report (AR20-045G) – North Korean Trojan: HOPLIGHT
Let’s give a close look at each malware detailed in the MARs reports just released:
- BISTROMATH – a full-featured RAT implant;
- SLICKSHOES – a Themida-packed dropper:
- CROWDEDFLOUNDER – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory;
- HOTCROISSANT – a full-featured beaconing implant used for conducting system surveys, file upload/download, process and command execution, and performing screen captures;
- ARTFULPIE – an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL;
- BUFFETLINE – a full-featured beaconing implant.
US agencies also updated information included in a MARs report on the HOPLIGHTproxy-based backdoor trojan that was first analyzed in April 2019.
Each report includes a detailed “malware descriptions, suggested response actions, and recommended mitigation techniques.”
The US Cyber Command also announced to have uploaded malware samples to VirusTotal:
Malware attributed to #NorthKorea by @FBI_NCIJTF just released here: https://t.co/cBqSL7DJzI. This malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. #HappyValentines @CISAgov @DHS @US_CYBERCOM
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) February 14, 2020
CISA reports provide the following recommendations to users and administrators to strengthen the security posture of their organization’s systems:
- Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
