FBI, DHS warn of North Korean RAT and worm malware

The FBI and Homeland Security released a technical alert with details about two strains of malware that North Korean government-linked hackers are using to remotely penetrate systems and to steal passwords and other sensitive data.

The two families of malware being used as tools for Hidden Cobra, the U.S. government’s code name for malicious cyber operations by the North Korean government, are the remote access tool (RAT) Joanap and the Server Message Block (SMB) worm Brambul. And, yes, you likely have heard of those before, since the U.S. government claims Hidden Cobra actors have been using the malware since at least 2009.

The alert also cites a report that blamed Hidden Cobra actors for the 2014 cyber attack on Sony Pictures Entertainment. The same North Korean group was blamed for the devastating WannaCry malware attack that spread across the globe one year ago.

US-CERT’s technical advisory reads:

According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors.

Joanap RAT

The two-stage malware Joanap is a fully functional RAT that allows Hidden Cobra hackers to remotely issue commands “to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device.” Other Joanap functions noted in the advisory include “file management, process management, creation and deletion of directories, and node management.”

Joanap can infect a system as a file either dropped via other malware when victims unknowingly downloaded it from compromised sites or when they open malicious email attachments. The U.S. government identified 87 compromised network nodes. Countries with infected IP addresses include Argentina, Belgium, Brazil, Cambodia, China, Colombia, Egypt, India, Iran, Jordan, Pakistan, Saudi Arabia, Spain, Sri Lanka, Sweden, Taiwan, and Tunisia.  

Brambul SMB worm

The brute-force authentication worm Brambul spreads through SMB shares. It allows North Korean government-backed attackers to harvest system information, accept command-line arguments, generate and execute a suicide script, propagate across the network using SMB, brute force SMB login credentials, and generate Simple Mail Transport Protocol email messages containing target host system information.

Brambul malware is a “dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware” and is generally spread “by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.” According to the advisory, Brambul malware “targets insecure or unsecured user accounts and spreads through poorly secured network shares.”

Detecting and mitigating the threats

The FBI has “high confidence” that Hidden Cobra is using the list of IP addresses included in the alert’s indicators of compromise (IOC) files. “DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity,” it said.

Admins and users are encouraged to review the Joanap and Brambul information released by the U.S. government to check for infection, as well as review the recommended mitigation strategies.

U.S. blames North Korea even as talks about U.S.-North Korean summit ramp up

Although this is the far from the first warning the U.S. government has issued about Hidden Cobra, it comes as discussions increase about a possible summit between President Trump and North Korean leader Kim Jong Un.

ABC News added:

In preparation for the summit, Kim Yong Chol, a former four-star army general and military intelligence chief, is set to meet in New York with Secretary of State Mike Pompeo — a rare visit to the U.S. by a high-level North Korean official. Kim Yong Chol is suspected to have been behind a 2014 hack of Sony Pictures Entertainment over the movie “The Interview,” a satire about a plot to assassinate the North Korean leader.

Pyongyang declined commenting upon the newest alert released by the U.S. government, but it usually denies being involved in cyber attacks. Even if North Korea does issue another denial, a DHS official told Reuters, “The United States takes attribution seriously and does not make this conclusion lightly.”

Just last week, the FBI, DHS and DoJ advised rebooting your router to clear it from advanced stages of the Russian-linked malware VPNFilter.