US Exposes North Korea Government’s Typeframe Malware

Video: Job-offer malware linked to North Korea chases bitcoin boom.

More security news

The US Computer Emergency Readiness Team (US-CERT) is warning users and admins about newly uncovered malware developed by North Korean hacking group Hidden Cobra, also known as the Lazarus Group.

US-CERT’s report on Typeframe identifies 11 pieces of malware, which consist of Windows executable files and a Word document with malicious Visual Basic macros.

“These files have the capability to download and install malware, install proxy and Remote-Access Trojans (RATs), connect to command-and-control servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections,” US-CERT notes in its latest malware report on the North Korean government’s Hidden Cobra campaign.

In May US-CERT issued an alert about Hidden Cobra’s Joanap and Brambul malware, which have been used since 2009 to collect information from companies in the media, aerospace, financial, and critical-infrastructure sectors.

Hidden Cobra is also known as the hacking group Lazarus, which researchers believe was responsible for the WannaCry ransomware outbreak, an $80m Bangladesh cyber bank heist via SWIFT, and 2014’s Sony Pictures hack.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

Researchers at McAfee earlier this year spotted a malicious Word document used in phishing campaigns aimed at financial sector organizations in Asia. As with the Typeframe Word document, it encouraged users to ‘enable content’ to run a malicious Visual Basic macro.

The Typeframe report is the 12th malware family US-CERT has attributed to the Hidden Cobra group, including destructive malware, and tools for carrying out distributed denial-of-service attacks.

It also includes the malware implant Bankshot RAT, which was identified by US-CERT last December and resurfaced in March in a targeted phishing attack on Turkey’s financial sector via a malicious Word document with an embedded Adobe Flash Player exploit.

That exploit, thought to have been developed by North Korean hackers, was previously used in zero-day Flash attacks on South Korean targets.

US-CERT urged admins and users to give any activity related to Typeframe “the highest priority for enhanced mitigations”.

It also urged users to report any detections to DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).

Previous and related coverage

Security alert: Watch out for password-stealing malware says FBI

North Korean malware can steal data and spread across networks.

North Korea carried out the WannaCry ransomware attack, say security services

The cybersecurity arm of British intelligence services has reportedly suggested the global ransomware outbreak was launched from North Korea.

Hackers responsible for $80M bank heist show ‘no signs of stopping’

Lazarus, linked to the famous Bangladeshi bank heist, is probing Southeast Asia and Europe in the hunt for fresh targets.

Novetta finds Sony hackers active since 2009, North Korea involvement not endorsed

An investigation undertaken by a coalition of security firms has found that the perpetrators of the 2014 Sony hack were active well before the breach, with North Korea avoiding accusation this time around.

The FBI wants you to factory reset your router. Here’s how to do it (CNET)

The VPNFilter malware problem is getting worse. Here’s how to safeguard your home network, and a list of the affected models.

Lazarus hacking group rises again with new bitcoin-stealing cyberattacks against banks

New ‘HaoBao’ campaign also plants the seeds for additional espionage on targeted machines.

Can Russian hackers be stopped? Here’s why it might take 20 years (TechRepublic)

Deterring hackers is almost impossible when the rewards are so great and the risks are so low. Can anything stop them?

READ MORE HERE