A new alert from the DHS and FBI regarding Hidden Cobra, aka Lazarus Group, includes IP addresses and various IOCs corresponding to the APT's DDoS botnet malware "DeltaCharlie."
A new alert from the DHS and FBI regarding Hidden Cobra, aka Lazarus Group, includes IP addresses and various IOCs corresponding to the APT's DDoS botnet malware "DeltaCharlie."

The Department of Homeland Security and FBI on Tuesday jointly released a technical alert detailing IP addresses, infrastructure and tools used by Hidden Cobra, a North Korean advanced persistent threat group better known as the Lazarus Group.

Published by the US-CERT, the alert included .csv and .stix files containing IP addresses and various indicators of compromise corresponding to the APT's distributed denial of service (DDoS) botnet malware, known as DeltaCharlie. “DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization,” the alert states.

In describing Hidden Cobra's tactics, the alert notes that the state-sponsored APT especially targets the U.S. and international media, aerospace, financial and critical infrastructure sectors with campaigns leveraging not only DDoS botnets, but also remote access tools, spyware, backdoors like Wild Positron/Duuzer and Hangman, and wiper malware such as Destover. Potential consequences of an attack include loss of data, operational disruption, financial losses, and a damaged reputation, the alert continues.

To help better understand and defend against this threat, the DHS and FBI are encouraging additional research on Hidden Cobra cyber activity. Moreover, the two agencies are recommending that organizations patch applications and operating systems; harden web applications and their host servers, take advantage of application whitelisting; restrict privileges, permissions and access controls; secure the log-in process; segment and segregate networks; implement input validation; use strong file reputation settings; and optimize firewall configurations.

The alert notes that Lazarus Group has been known to exploit vulnerabilities found in older, unsupported versions of Microsoft operating systems, as well as Hangul Word Processor, Adobe Flash Player, and Microsoft Silversight – which makes regular, timely patching especially important.

Some malware analysts have recently reported on evidence potentially tying the WannaCry ransomware to the Lazarus Group, although other experts has emphasized that it is premature to attribute the attack to a particular group or nation. The APT has also been blamed for the Sony hack and the Bangladesh central bank cyber heist.

Following the rapid spread of last month's WannaCry ransomware, and the suspicions that it may have originated from North Korea, the alert on the DeltaCharlie malware family from US-CERT, the FBI and the American Department of Homeland Security will do little to abate the public's fears around North Korea's growing cyber arsenal," said Jan Zika, web threat lead at Avast, in emailed comments. "As with all malware risks, I'd recommend that people ensure all their software and apps are fully up to date with security patches, and their devices such as PCs, smartphones and routers have the latest firmware and operating systems."