The US-CERT issued a joint technical alert from DHS and the FBI, warning that two new identified malware has been used by the prolific North Korean hacking group APT known as Hidden Cobra by cobra hackers.
Hidden Cobra Hackers, often known as Lazarus Group and Guardians of Peace, reportedly backed by the North Korean government and known to launch attacks on media, aerospace, financial sectors and critical infrastructure around the world.
The group was even associated with the WannaCry ransomware threat, which last year closed hospitals and businesses around the world. According to testimonials, he is also connected to the piracy of Sony Pictures in 2014 and the attack on SWIFT Banking in 2016.
Now the Department of Homeland Security (DHS) and the FBI have discovered two new malware Hidden Cobra Hackers has been using since at least 2009 to target media, aerospace, finance and critical infrastructure companies around the world.
The Hidden Cobra malware uses the Trojan Access Remote Trojan (RAT) known as Joanap and the Message Message Block (SMB) worm called Brambul. We go into the details of both malware one by one.
The remote access of Joanap-A Trojan
According to the US-CERT warning, “fully functional RAT” Joanap is a two-step malware that establishes peer-to-peer communications and manages botnets designed to allow other malicious operations.
Malware typically infects a system as a file provided by other malware, which users unknowingly download when they visit compromised websites from hidden Cobra malware and open malicious attachments.
Joanap receives commands from a remote control and command server controlled by Hidden Cobra malware, giving them the ability to steal data, install and run more malware, and initiate proxy communications on a compromised Windows device.
Other Joanap features include file management, process management, directory creation and deletion, zombie network management, and node management.
During the analysis of the Joanap infrastructure, the US government detected malware on 87 compromised network nodes in 17 countries, including Brazil, China, Spain, Taiwan, Sweden, India, and India. ‘Iran.
Brambul-A SMB worm
Brambul is a brute-force authentication worm that, like the devastating WannaCry ransomware, is abusing the Server Message Block (SMB) protocol to spread to other systems.
The malicious 32-bit Windows SMB worm works like a dynamic service link library file or a portable executable file that is often released and installed on networks of malware drippers.
“When it is executed, the malware tries to make contact with the victims’ systems and the IP addresses on the local subnetwork of the victims,” warns the warning.
“If successful, the application attempts to gain unauthorized access through the SMB protocol (ports 139 and 445) by initiating password attacks using a list of predefined passwords. attacks “.
Once Brambul has gained unauthorized access to the infected system, the malware will e-mail information about the victim’s systems to Hidden Cobra hackers. The information includes the IP address and hostname, as well as the username and password of each victim’s system.
Hackers can then use this stolen information to remotely access the compromised system via the SMB protocol. Actors can even generate and execute what analysts call a “suicide script”.
DHS and the FBI have also provided downloadable IP address lists with which the Cobra hidden malware communicates and others, from the IOC to help them stop and allow network defenses to reduce exposure to all IT activities harmful by the North Korean government.
DHS has also recommended users and administrators to use best practices as preventative measures to protect their computer networks, such as keeping up with the software and day system, running antivirus software, disabling SMB, and banning executable unknown software applications.
Last year, the DHS and the FBI issued a notice describing the hidden malware Cobra, called Delta Charlie, a DDoS tool that believed was used by North Korea to launch DDoS (Distributed Denial of Service) against its goals.
Other malicious software connected to hidden Cobra hackers in the past include Destover, wild positron or Duuzer and Hangman with sophisticated features such as DDoS botnets, keyloggers, remote access tools (RATs) and wiper malware.