The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released reports on North Korea-linked HIDDEN COBRA malware.
The FBI, the US Cyber Command, and the Department of Homeland Security have published technical details of a new North-Korea linked hacking operation.
The government experts released new and updated Malware Analysis Reports (MARs) related to new malware families involved in new attacks carried out by North Korea-linked HIDDEN COBRA group.
The following MARs reports aim at helping organizations to detect HIDDEN COBRA activity:
Malware Analysis Report (AR20-045A) – North Korean Trojan: BISTROMATHMalware Analysis Report (AR20–045B) – North Korean Trojan: SLICKSHOESMalware Analysis Report (AR20-045C) – North Korean Trojan: CROWDEDFLOUNDERMalware Analysis Report (AR20-045D) – North Korean Trojan: HOTCROISSANTMalware Analysis Report (AR20-045E) – North Korean Trojan: ARTFULPIEMalware Analysis Report (AR20-045F) – North Korean Trojan: BUFFETLINEMalware Analysis Report (AR20-045G) – North Korean Trojan: HOPLIGHTLet’s give a close look at each malware detailed in the MARs reports just released:
BISTROMATH – a full-featured RAT implant;SLICKSHOES – a Themida-packed dropper:CROWDEDFLOUNDER – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory;HOTCROISSANT – a full-featured beaconing implant used for conducting system surveys, file upload/download, process and command execution, and performing screen captures;ARTFULPIE – an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL;BUFFETLINE – a full-featured beaconing implant. US agencies also updated information included in a MARs report on the HOPLIGHT proxy-based backdoor trojan that was first analyzed in April 2019.
Each report includes a detailed “malware descriptions, suggested response actions, and recommended mitigation techniques.”
The US Cyber Command also announced to have uploaded malware samples to VirusTotal:
Malware attributed to #NorthKorea by @FBI_NCIJTF just released here: https://t.co/cBqSL7DJzI. This malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. #HappyValentines @CISAgov @DHS @US_CYBERCOM— USCYBERCOM Malware Alert (@CNMF_VirusAlert) February 14, 2020CISA reports provide the following recommendations to users and administrators to strengthen the security posture of their organization’s systems:
• Maintain up-to-date antivirus signatures and engines.• Keep operating system patches up-to-date.• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.• Enforce a strong password policy and implement regular password changes.• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.• Disable unnecessary services on agency workstations and servers.• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).• Scan all software downloaded from the Internet prior to executing.• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;
try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}
Pierluigi Paganini
(SecurityAffairs – HIDDEN COBRA, malware)
The post US Govt agencies detail North Korea-linked HIDDEN COBRA malware appeared first on Security Affairs.