On the third anniversary of the global WannaCry ransomware outbreak, attributed to North Korea, the U.S. government has disclosed details about three new malware variants utilized by state-sponsored North Korean hackers. These variants, named COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, are designed for remote reconnaissance and the extraction of sensitive information from targeted systems, as outlined in a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD).
Significantly, these variants add to a growing arsenal of over 20 identified malware samples associated with the North Korean cyber group dubbed “Hidden Cobra,” commonly known as the Lazarus Group. This group’s nefarious activities have spanned various cyber attacks, including the notorious BISTROMATH, SLICKSHOES, and HOPLIGHT malware. The advisory emphasizes the persistence and evolving capabilities of these threats.
COPPERHEDGE, the first of the newly identified variants, functions as a full-featured Remote Access Tool (RAT). This malware is capable of executing arbitrary commands, conducting system reconnaissance, and exfiltrating data. The group has specifically targeted cryptocurrency exchanges, with multiple versions of COPPERHEDGE already recognized.
TAINTEDSCRIBE serves as a backdoor implant disguised as Microsoft’s Narrator screen reader utility. This deception allows it to download malicious payloads from a command-and-control (C2) server, as well as to upload and execute files while managing processes on the infected systems. This approach highlights the sophistication of the Lazarus Group’s tactics.
PEBBLEDASH shares many functionalities with TAINTEDSCRIBE, including file management capabilities—downloading, uploading, deleting, and executing files. In addition, it enables access to the Windows command-line interface (CLI) and system enumeration, demonstrating a comprehensive ability to interact with compromised systems.
The WannaCry infection in 2017, which leveraged the EternalBlue vulnerability, exemplifies the type of cyber threat posed by North Korean actors. This ransomware attack, which led to widespread disruption, was primarily motivated by financial gain, as hackers demanded Bitcoin payments for the restoration of access to compromised systems. The Lazarus Group’s involvement has been confirmed, linking them directly to this and numerous other attacks.
With the group reportedly responsible for the theft of over $571 million in cryptocurrency from online exchanges, their financially motivated campaigns have drawn significant attention from U.S. authorities. In response to these ongoing threats, sanctions were imposed last September against the Lazarus Group and its sub-groups, Bluenoroff and Andariel.
Earlier this year, the U.S. Department of Justice charged two Chinese nationals for laundering over $100 million in stolen cryptocurrency on behalf of these North Korean cyber operatives. In light of the ongoing risks, the U.S. government has issued alerts regarding the substantial cyber threat posed by North Korean state-sponsored hackers targeting global financial institutions, offering a reward of up to $5 million for information related to their illicit activities.
The advisory issued by U.S. authorities details the imperative for businesses to remain vigilant against the evolving tactics of North Korean cyber actors. Increased reliance on illicit activities to fund weapons programs underscores the urgent need for comprehensive cybersecurity measures. The potential use of tactics and techniques outlined in the MITRE ATT&CK framework, such as initial access and persistence, highlights the necessity for robust defenses as organizations strive to safeguard their systems against these pressing threats.
