Hidden Cobra Strikes Again with Custom RAT, SMB Malware

The feds are warning that the North Korean APT group known as Hidden Cobra is mounting active attacks on U.S. businesses (and others globally), including organizations in the media, aerospace, financial and critical infrastructure sectors.

According to a United States Computer Emergency Readiness Team (US-CERT) bulletin released Tuesday, the state-sponsored group is using two families of malware against U.S. assets: A remote access tool (RAT) dubbed Joanap; and a Server Message Block (SMB) worm known as Brambul.

Neither family is new, having been first observed in 2009. However, both are bringing thoroughly modern tricks to the cyber-party. The actors are targeting sensitive and proprietary information, and the malware could disrupt regular operations and disable systems and files.

A Look at Joanap and Brambul

Joanap is a fully functional RAT that serves as the payload in various phishing or drive-by attacks. Hidden Cobra uses it to exfiltrate data and host system information, drop and run secondary payloads, and initialize proxy and peer-to-peer communications on compromised Windows devices, according to the alert. It uses Rivest Cipher 4 encryption to communicate with the C2.

It also has capabilities to manage botnets for other types of operations, and can carry out file management, process management, the creation and deletion of directories, and node management.

Brambul meanwhile is a Windows 32-bit brute-force authentication worm that spreads through SMB, which is the Windows file-sharing protocol that enables shared access to files between users on a network. Famously, SMB is the point of compromise targeted by leaked National Security Agency hacking tools like EternalBlue and EternalRomance.

In this case, Brambul specifically targets insecure or unsecured user accounts and spreads through poorly secured network shares. It shows up looking like a service dynamic link library file or a portable executable file; and once executed, it pivots to spread to other subnets and systems on the network.

“If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks,” the alert explained.

Once active on a system, Brambul sets about harvesting system information and sending it back to Hidden Cobra actors via malicious email messages. It can also accept command-line arguments, and it has a self-kill mechanism.

North Korea Behind the Scenes

Joint Hidden Cobra research from the Department of Homeland Security and the FBI noted that IP addresses and other indicators of compromise (IOCs) associated with the attacks link back to both strains, which they say are custom malware deployed by the North Korean government.

“FBI has high confidence that Hidden Cobra actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation,” the feds said in their alert. “DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber-activity.”

Hidden Cobra (also known as the Lazarus Group) has been on the radar screen for some time; it was linked to the infamous 2014 Sony Pictures hack, for instance, as well as the SWIFT banking attacks. More recently, last June the group was seen leveraging malware called DeltaCharlie, which is the brains behind North Korea’s distributed denial-of-service (DDoS) botnet infrastructure.

Also, in April, Thailand’s Computer Emergency Response Team (ThaiCERT) seized a server operated by the APT, which is part of the network used to control the global GhostSecret espionage campaign, which researchers say is still ongoing. McAfee warned at the time that the GhostSecret campaign was carrying out data reconnaissance on a wide number of industries, including critical infrastructure, entertainment, finance, healthcare and telecommunications, in at least 17 countries.

To avoid compromise, users and administrators should follow best practices, especially maintaining up-to-date patching and antivirus; enabling workstation firewalls; implementing email- and download-scanning to quarantine or block suspicious attachments and files; restricting user permissions for software installations; and disabling Microsoft’s File and Printer Sharing service, if not needed.

“If this service is required, use strong passwords or Active Directory authentication,” US-CERT noted.

READ MORE HERE