The North Korean APT group named Hidden Cobra is deploying active cyber attacks on U.S. businesses, including media, aerospace, financial and critical infrastructure companies.
The state-sponsored group is using two families of malware in the U.S.: A remote access tool (RAT) named Joanap, and a Server Message Block (SMB) worm dubbed Brambul.
Both were first observed in 2009, and now they are improved with modern and powerful tricks. Hackers are using them to target sensitive and proprietary information; by doing this a lot of regular operations, systems and files are disrupted or disabled.
A malware analysis made on both malware revealed exciting facts:
Joanap is a fully functional RAT that is used as a payload for various phishing or drive-by cyberattacks. Hidden Cobra group is using it to exfiltrate data and host system information, drop and run secondary payloads, and initialize proxy and peer-to-peer communications on compromised Windows devices. This malware uses Rivest Cipher 4 encryption to communicate with the C2, and it’s also capable of: managing botnets for other types of operations, file management, process management, creation and deletion of directories, and node management.
Companies and individual people must take certain precautions against this growing phenomenon of cyber attacks; for that they should implement at least a cybersecurity solution, like an antivirus, to protect their systems. Necessary things like regularly updating operating systems, using antivirus for Windows or antivirus for Mac depending on which OS your device is using. Companies must also hire professional cybersecurity firms to do regular checkups to their internal network a couple of times per year. These checkups must always include a penetration test and various ethical hacking test.
On the other hand, Brambul is a Windows 32-bit brute-force authentication worm that spreads through SMB, which is the Windows file-sharing protocol that enables shared access to files between users on a network. SMB is nowadays famous because of the leaked National Security Agency hacking tools like EternalBlue and EternalRomance.
Brambul targets explicitly poorly secured or unsecured user accounts and then spreads through network shares. This malware come as a fake service dynamic link library file or a portable executable file; and once executed, it spreads to other subnets and systems on the network.
After successful infection, Brambul starts harvesting system information which is sent back to Hidden Cobra via malicious email messages. This malware also accepts command-line arguments, and it has a self-kill mechanism.
The IP addresses and other indicators of compromise (IOCs) from this attacks link back both strains, to the North Korean government. Now, DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber attacks.
Hidden Cobra aka Lazarus Group is an old, well known, North Korean APT group which was linked to the infamous 2014 Sony Pictures hack, for instance, as well as the SWIFT banking attacks. Recently, in last June, the group used a malware named DeltaCharlie to deploy distributed denial-of-service (DDoS) attacks.
This group also control a global GhostSecret espionage campaign, which researchers say is still ongoing. GhostSecret campaign is carrying out data reconnaissance on a wide number of industries, including critical infrastructure, entertainment, finance, healthcare, and telecommunications, in at least 17 countries.
Keep in mind that every private data has a significant value that must be protected by at least cybersecurity solution like an antivirus. Depending on which OS your device is running, install an antivirus for Windows or antivirus for Mac for total protection. Companies must take an extra step and hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking test. For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.