DHS, FBI, and DoD Issue Joint Report on Malware in Use by the North Korean Government
The US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) the Federal Bureau of Investigations (FBI), and the Department of Defense (DoD) jointly issued updates on three Malware Analysis Reports (MARs). The three malware warrants are in use by the Democratic People’s Republic of Korea (DPRK, also known as North Korea). The three malwares include two Trojans (TAINTEDSCRIBE and PEBBLEDASH) and one Remote Access Tool (COPPERHEDGE)
North Korea uses its malware to maintain a presence on victim networks for current and further network exploitation.
READ: What are Advanced Persistent Threat Groups?
HIDDEN COBRA is an Advanced Persistent Threat (APT 38) group that carries out malicious cyber activity at the behest of the North Korean government. Hidden Cobra is known for using DDoS botnets, keyloggers, ransomware, remote access tools (RATs), and wiper malware. The APT group conducts espionage to gather valuable information and spy on other nations. The hackers also focus on hacking financial instantons to steal money to fund other operations for North Korea. Commercial cyber security researchers refer to HIDDEN COBRA as Lazarus Group and Guardians of Peace.
Lazarus group was implicated in a new malware variant, Dacls Remote Access Trojan (RAT) malware, that attacks computers running MacOS. Remote Access Trojans, or RAT malware, is a type of malicious computer code that can remote control an infected computer. RAT malware is used to read, edit, or deletes files, gather system information, mine cryptocurrencies, download more malware, and steal sensitive information.
Malware Analysis Report (1028834-1.v1) – North Korean Remote Access Tool: COPPERHEDGE
Malware Analysis Report (AR20-133A) reports that RAT malware COPPERHEDGE targets cryptocurrency exchanges. This RAT malware can run commands, perform system reconnaissance, and exfiltrate data
Malware Analysis Report (1028834-2.v1) – North Korean Trojan: TAINTEDSCRIBE
Malware Analysis Report (AR20-133B) for Trojan TAINTEDSCRIBE. This malware disguises itself as Microsoft’s Narrator. TAINTEDSCRIBE downloads a command execution module from a command and control server and can download, upload, delete, and execute files. It can also create and terminate processes and perform target system enumeration.
Malware Analysis Report (1028834-3.v1) – North Korean Trojan: PEBBLEDASH
Malware Analysis Report (AR20-133C) for PEBBLEDASH indicates this is a full-featured beaconing implant with similar capabilities as TAINTEDSCRIBE.
Hidden Cobra is also associated with ELECTRICFISH, HOPLIGHT, CROWDEDFLOUNDER, HOTCROISSANT, BANKSHOT malwares as well as others. HIDDEN COBRA aka Lazarus Groups is the hacking group responsible for the 2017 WannaCry ransomware attack. WannaCry infected over 200,000 computers globally. The entire UK’s National Health System (NHS) was crippled by the attack. The code was stolen from an arsenal of hacking tools developed by the US APT group, Equation Group.
How to Protect Your Devices from Malware
System Administrators should report malware attacks to Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch)
• Configure available firewalls to block attacks
• Maintain up-to-date antivirus software on all devices
• Keep device operating systems patched with the latest updates
• Maintain all software and apps with security patches
• Require two-factor authentication (2FA) to secure devices and software
• Only grant user accounts the access level necessary to complete tasks
