Pierluigi Paganini February 14, 2020

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released reports on North Korea-linked HIDDEN COBRA malware.

The FBI, the US Cyber Command, and the Department of Homeland Security have published technical details of a new North-Korea linked hacking operation.

The government experts released new and updated Malware Analysis Reports (MARs) related to new malware families involved in new attacks carried out by North Korea-linked HIDDEN COBRA group.

The following MARs reports aim at helping organizations to detect HIDDEN COBRA activity:

• Malware Analysis Report (AR20-045A) – North Korean Trojan: BISTROMATH
• Malware Analysis Report (AR20–045B) – North Korean Trojan: SLICKSHOES
• Malware Analysis Report (AR20-045C) – North Korean Trojan: CROWDEDFLOUNDER
• Malware Analysis Report (AR20-045D) – North Korean Trojan: HOTCROISSANT
• Malware Analysis Report (AR20-045E) – North Korean Trojan: ARTFULPIE
• Malware Analysis Report (AR20-045F) – North Korean Trojan: BUFFETLINE
• Malware Analysis Report (AR20-045G) – North Korean Trojan: HOPLIGHT

Let’s give a close look at each malware detailed in the MARs reports just released:

• BISTROMATH – a full-featured RAT implant;
• SLICKSHOES – a Themida-packed dropper:
• CROWDEDFLOUNDER – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory;
• HOTCROISSANT – a full-featured beaconing implant used for conducting system surveys, file upload/download, process and command execution, and performing screen captures;
• ARTFULPIE – an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL;
• BUFFETLINE – a full-featured beaconing implant. 

US agencies also updated information included in a MARs report on the HOPLIGHT proxy-based backdoor trojan that was first analyzed in April 2019.

Each report includes a detailed “malware descriptions, suggested response actions, and recommended mitigation techniques.”

The US Cyber Command also announced to have uploaded malware samples to VirusTotal:

CISA reports provide the following recommendations to users and administrators to strengthen the security posture of their organization’s systems:

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Pierluigi Paganini

(SecurityAffairs – HIDDEN COBRA, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]