FBI, DHS share intel on RAT and worm linked to North Korea
FBI, DHS share intel on RAT and worm linked to North Korea

The FBI and Department of Homeland Security on Tuesday jointly released a pair of technical alerts via the US-CERT, warning of two malware families dating back to at least 2009 that they say are tied to the suspected North Korea-sponsored APT group Hidden Cobra.

Referencing intel from unnamed third parties and U.S. government analysis, the alerts share data on the remote access tool (RAT) Joanap and the Server Message Block-based (SMB) worm Brambul, including technical details, IP addresses and indicators of compromise.

Additionally, the agencies are collectively reporting that Joanap and Brambul have been used against both U.S.-based and global targets, including the media, aerospace, financial and critical infrastructure sectors. Successful attacks can result in loss of sensitive information, operational disruption and financial losses.

One alert describes Joanap as a two-stage, fully-functional RAT that Hidden Cobra (aka Lazarus Group) can use "to establish peer-to-peer communications and to manage botnets designed to enable other operations," giving them "the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device."

The malware, which typically infects hosts via droppers or compromised websites, uses Rivest Cipher 4 encryption to keep its C&C communications secret, and creates a log entry in the Windows System Directory to store stolen victim information, the alert continues.

Aided by unnamed third parties, government investigators found Joanap on 87 compromised network nodes with IP addresses in Argentina, Belgium, Brazil, Cambodia, China, Colombia, Egypt, India, Iran, Jordan, Pakistan, Saudi Arabia, Spain, Sri Lanka, Sweden, Taiwan and Tunisia.

Meanwhile, the alert describes Brambul as a 32-bit service dynamic link library file or a portable executable file that spreads by using hard-coded login credentials to brute-force its way past the authentication mechanism for SMB shares that allow users on the same network to access files.

As its propagates itself throughout an organization, Brambul communicates data about each infected system -- including IP addresses, host names, usernames and passwords -- that the Hidden Cobra actors can use to remotely access compromised machines via the SMB protocol.

Through the alerts, U.S. officials also warned about two related malicious files used in conjunction with the main Joanap and Brambul payloads, including a malicious backdoor installer and an alternative SMB-based worm that works on 32-bit devices.

In comments emailed to SC Media, Rishi Bhargava, co-founder at Demisto, a security automation and response technology provider, praised the alerts as a "fantastic example of US-CERT sharing good, detailed information with the entire security community so that we can respond appropriately. Effective information sharing can help us to respond faster and more effectively."

The joint announcement comes at a potentially touchy time, however, as the Trump administration seeks to negotiate a denuclearization deal with the unpredictable North Korean regime, which often accuses the U.S. of engaging in acts of provocation. The U.S. last released a malware analysis report via the US-CERT on Mar. 28, when the FBI and DHS published an analysis of the Trojan malware variant SHARPKNOT.