The federal government this week issued an alert about two pieces of malware allegedly developed by the North Korean government that have been in use for almost a decade to attack such targets around the world, including the US.
The US-CERT joint technical alert from the FBI and Department of Homeland Security points to malware called Joanap and Brambul, part of the advanced persistent threat (APT) effort dubbed Hidden Cobra -- the name given by US government to threat actors tied to the North Korean government.
Joanap is a remote access tool (RAT) and Brambul is a server message block (SMB) worm that the FBI and DHS, citing "trusted third parties," note have been used since at least 2009 to target such industries as media, aerospace and finance as well a critical infrastructure.
"FBI has high confidence that HIDDEN COBRA actors are using the IP addresses... to maintain a presence on victims' networks and enable network exploitation," according to the May 29 alert. "DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity."
The associated indicators of compromise (IOCs) can be found in the FBI and DHS alert.
Joanap is designed to receive multiple command that can be issued remotely by Hidden Cobra attackers from a command-and-control server and infects a system as a file that is placed by other malware designed by the group. That malware is downloaded by unknowing users when they visit compromised sites or open malicious attachments in email. The FBI and DHS found 87 compromised network nodes in 17 countries, including in South America, Asia, the Middle East and Europe.
The agencies noted that Brambul is a "brute-force authentication world that spreads through SMBs," which enable users on a network to share access to files. "Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim's networks," according to the alert.
DHS officials said that users should make sure to keep operating systems, software and anti-virus software up to date to help prevent against infection. The department also notes that users should scan all software downloaded from the Internet before executing it, restrict user permissions to install unwanted applications, scan for and remove suspicious email attachments and disable Microsoft's File and Printer Sharing service.
"McAfee can confirm that these malware samples have been known to cyber threat researchers since 2011," Ryan Sherstobitoff, a researcher at McAfee Labs, told Security Now in an email. "Our research into Hidden Cobra shows that these campaigns are still underway, and, while these components are being revealed now, the perpetrators behind the latest attacks have moved on to use newer tools."
Hidden Cobra -- which also has been known as Lazarus -- has been active for more than a decade and has ramped up its efforts in recent months even as the North Korean government has been in talks with South Korea and the US in hopes of easing tensions with the countries. The US government has put out multiple alerts about malware from Hidden Cobra since the beginning of the year, calling out Trojans such as Sharpknot, Hardrain and Badcall.
In April, McAfee Labs issued research regarding a Hidden Cobra campaign called "GhostSecret," which is targeting similar sectors as Joanap -- such as critical infrastructure, finance, healthcare and telecommunications -- in 17 countries around the world. Earlier this month, McAfee Labs noted a targeted mobile campaign called "RedDawn" -- and attributed to a group called Sun Team -- in which malware in Google Play was designed to implant spyware on the devices of North Korean defectors. (See North Korea-Linked 'Operation GhostSecret' Found in 17 Countries.)
Hidden Cobra -- which Symantec refers to as Lazarus -- is fairly unique, according to Vikram Thakur, technical director for Symantec Security Response.
"This targeted attack group is the only one tracked by Symantec that has attempted attacks against organizations for financial gain," Thakur told Security Now in an email. "Aside from direct monetary gain, Lazarus has been involved in stealing intellectual property, espionage and even ransomware, such as WannaCray, that spread globally in mid-2017."
McAfee's Sherstobitoff said that it's difficult for industry researchers to link malware attacks to specific suspects, but that what McAfee does know dovetails with what the government has found regarding Joanap and Brambul.
"Direct attribution of cyber campaigns to particular actors is complicated," he said. "Cyber forensic evidence available to industry is just part of the picture. Governments are in a more effective position to combine such evidence with evidence from traditional intelligence sources available only to state intelligence services and law enforcement. That said, we can confirm that the countries the government mentions as targets [of Joanap and Brambul] align with the attack targets we observed during our research into the GhostSecret operation and Hidden Cobra."
Symantec's Vikram said that "every country that conducts offensive cyber operations has different national interests for doing so. One might focus its resource on disinformation in specific geographies, another might be most interested in acquiring intellectual property for economic advantage. Lazarus is the only group that we've seen that has a team dedicated to conducting bank heists for more direct monetary gain. At the end of the day, the geopolitical situation of a country is what guides their offensive cyber mandate."
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.