The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released reports on North Korea-linked HIDDEN COBRA malware.

The FBI, the US Cyber Command, and the Department of Homeland Security have published technical details of a new North-Korea linked hacking operation.

The government experts released new and updated Malware Analysis Reports (MARs) related to new malware families involved in new attacks carried out by North Korea-linked HIDDEN COBRA group.

The following MARs reports aim at helping organizations to detect HIDDEN COBRA activity:

Let’s give a close look at each malware detailed in the MARs reports just released:

  • BISTROMATH – a full-featured RAT implant;
  • SLICKSHOES – a Themida-packed dropper:
  • CROWDEDFLOUNDER – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory;
  • HOTCROISSANT – a full-featured beaconing implant used for conducting system surveys, file upload/download, process and command execution, and performing screen captures;
  • ARTFULPIE – an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL;
  • BUFFETLINE – a full-featured beaconing implant.

US agencies also updated information included in a MARs report on the HOPLIGHTproxy-based backdoor trojan that was first analyzed in April 2019.

Each report includes a detailed “malware descriptions, suggested response actions, and recommended mitigation techniques.”

The US Cyber Command also announced to have uploaded malware samples to VirusTotal:

CISA reports provide the following recommendations to users and administrators to strengthen the security posture of their organization’s systems:

  • Maintain up-to-date antivirus signatures and engines.
    • Keep operating system patches up-to-date.
    • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
    • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
    • Enforce a strong password policy and implement regular password changes.
    • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
    • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
    • Disable unnecessary services on agency workstations and servers.
    • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
    • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
    • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
    • Scan all software downloaded from the Internet prior to executing.
    • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Pierluigi Paganini