The U.S. Department of Homeland Security and the FBI issued a joint technical alert to warn about ongoing hacking efforts of HIDDEN COBRA.
HIDDEN COBRA is how the U.S. government refers to malicious cyber activity by the North Korean government.
1 RAT, 1 worm, and their targets
The federal agencies say their analysis shows this is an ongoing campaign that apparently started in 2009 and continues to spread and get updates, "To target multiple victims globally and in the United States, including the media, aerospace, financial, and critical infrastructure sectors."
The North Korean RAT, Joanap
Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include:
- file management,
- process management,
- creation and deletion of directories, and
- node management.
North Korea's Server Message Block (SMB) worm, Brambul
Analysis of a newer variant of Brambul malware identified the following built-in functions for remote operations:
- harvesting system information,
- accepting command-line arguments,
- generating and executing a suicide script,
- propagating across the network using SMB,
- brute forcing SMB login credentials, and
- generating SMTP email messages containing target host system information.
Read the complete Homeland Security HIDDEN COBRA technical alert, which includes mitigation and prevention tactics, for more information.
