New Malware Alert: North Korean Hacking Group’s Tools Discovered
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI, has issued a joint technical alert regarding two recently identified pieces of malware deployed by the North Korean Advanced Persistent Threat (APT) group known as Hidden Cobra, also referred to as the Lazarus Group. This hacking entity is widely believed to have backing from the North Korean government and is infamous for targeting various sectors globally, including media, aerospace, finance, and critical infrastructure.
Hidden Cobra has a notorious reputation for significant cyber offenses, being implicated in various high-profile incidents, such as the WannaCry ransomware attack that affected numerous healthcare facilities and businesses worldwide. Additionally, the group is linked to the 2014 Sony Pictures hack and the 2016 SWIFT banking breach. This latest alert reveals that Hidden Cobra has been utilizing two specific malware threats since at least 2009 to further its cyber operations.
The two newly identified malware strains are named Joanap and Brambul. Joanap functions as a Remote Access Trojan (RAT), allowing hackers to remotely control an infected device by establishing peer-to-peer communications. It typically infiltrates systems through other malware, often delivered via compromised websites or malicious email attachments. Commands are received from a remote command and control server, enabling data theft, deployment of additional malware, and manipulation of infected machines.
During a thorough investigation of the Joanap infrastructure, the U.S. government identified this RAT on 87 network nodes across 17 countries, including Brazil, China, Spain, and India. The malware’s capabilities extend to file management and botnet administration, showcasing a significant level of sophistication in conducting cyber operations.
Brambul, on the other hand, is an SMB worm that employs brute-force techniques to access victim networks by exploiting the Server Message Block (SMB) protocol. Similar to the WannaCry ransomware, Brambul spreads itself by attempting to authenticate unauthorized systems within local subnets. It adopts a tactics and procedures framework that includes using embedded lists of passwords to launch attacks, aiming to gain entry without permissions. Upon successful infiltration, Brambul communicates sensitive information back to its operators, including IP addresses and credentials of compromised systems.
The alert emphasizes that this malware operates by trying to make contact with local machines, thereby increasing the attacker’s foothold within a network. Once breached, the actor can collect valuable data, including usernames and passwords, revealing the extensive reach of their capabilities.
As part of their recommendations, the DHS and FBI have advised organizations to take preventive measures, such as updating software, running robust antivirus solutions, and disabling SMB functionalities to mitigate exposure to these threats.
A previous alert issued by CISA also highlighted another malware known as Delta Charlie, which is associated with DDoS attacks. This emphasis on ongoing threats underscores the necessity for vigilance within the cybersecurity landscape, particularly as the potential for further attacks remains a concern.
Given the complex nature of these attacks, potential tactics from the MITRE ATT&CK framework that could be utilized by Hidden Cobra include initial access through phishing or service exploitation, persistence mechanisms via the RAT, and privilege escalation through brute-force attacks made feasible by Brambul. Understanding these techniques holds crucial implications for businesses looking to bolster their cybersecurity defenses against evolving threats.
As cyber threats continue to rise, remaining informed and proactive is essential for organizations aiming to safeguard their digital assets from malicious actors worldwide. Organizations are encouraged to stay updated regarding the latest vulnerabilities and attacks while adopting a multi-layered security approach to defend against these sophisticated threats.
