The US government today released information on three new malware variants used in malicious cyber activity campaigns by a North Korean government-backed hacker group tracked as HIDDEN COBRA.
The new malware is being used “for phishing and remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions” according to the information published by Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense (DoD).
U.S. Cyber Command has also uploaded five samples of the newly discovered malware variants onto the VirusTotal malware aggregation repository.
The announcement coincided with the three-year anniversary of the WannaCry ransomware outbreak, which US officials have formally blamed on the Pyongyang regime, and have even gone as far as to press charges against one of the hackers.
The three malware strains exposed today are named:
COPPERHEDGE – a remote access trojan (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Six different variants identified.
TAINTEDSCRIBE – a malware implant (trojan) that’s installed on hacked systems to receive and execute the attacker’s commands. These samples use FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator.
PEBBLEDASH – another implant. This one has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) published official advisories for the three malware strains on its website.
US Cyber Command has also uploaded samples for the three malware strains on its VirusTotal account.
Costin Raiu, a malware analyst for Kaspersky’s GReAT, confirmed that the three malware strains were linked to known North Korean threat groups. Per Raiu, the samples contained code similarities with Manuscrypt, a known North Korean malware family, which Kaspersky had discovered in 2017.
5 New malware samples attributed to DPRK by @FBI:https://t.co/zScGUiJAVb . These malware are used for phishing and remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. @US_CYBERCOM @CISAgov
— USCYBERCOM Malware Alert (@CNMF_VirusAlert) May 12, 2020
Since May 12, 2017, the DHS has published reports on 28 malware samples on its website.
The general train of thought was that by publishing easily available information on these malware strains, the public and private sector could deploy detection rules to block attacks involving these tools, forcing North Korean hackers to regularly work on new versions that can bypass security checks, instead of reaping the rewards from their hacking operations.
