US Govt agencies detail North Korea-linked HIDDEN COBRA malware

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released reports on North Korea-linked HIDDEN COBRA malware.

The FBI, the US Cyber Command, and the Department of Homeland Security have published technical details of a new North-Korea linked hacking operation.

The government experts released new and updated Malware Analysis Reports (MARs) related to new malware families involved in new attacks carried out by North Korea-linked HIDDEN COBRA group.

The following MARs reports aim at helping organizations to detect HIDDEN COBRA activity:

Let’s give a close look at each malware detailed in the MARs reports just released:

  • BISTROMATH – a full-featured RAT implant;
  • SLICKSHOES – a Themida-packed dropper:
  • CROWDEDFLOUNDER – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory;
  • HOTCROISSANT – a full-featured beaconing implant used for conducting system surveys, file upload/download, process and command execution, and performing screen captures;
  • ARTFULPIE – an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL;
  • BUFFETLINE – a full-featured beaconing implant.

US agencies also updated information included in a MARs report on the HOPLIGHTproxy-based backdoor trojan that was first analyzed in April 2019.

Each report includes a detailed “malware descriptions, suggested response actions, and recommended mitigation techniques.”

The US Cyber Command also announced to have uploaded malware samples to VirusTotal:

CISA reports provide the following recommendations to users and administrators to strengthen the security posture of their organization’s systems:

  • Maintain up-to-date antivirus signatures and engines.
    • Keep operating system patches up-to-date.
    • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
    • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
    • Enforce a strong password policy and implement regular password changes.
    • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
    • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
    • Disable unnecessary services on agency workstations and servers.
    • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
    • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
    • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
    • Scan all software downloaded from the Internet prior to executing.
    • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Pierluigi Paganini

February 17, 2020

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...