Hidden Cobra malware infects Android devices with RAT, turns Windows machines into proxies
Hidden Cobra malware infects Android devices with RAT, turns Windows machines into proxies

The Department of Homeland Security (DHS) and FBI on Tuesday jointly released two new reports analyzing trojan malware attributed to Hidden Cobra, aka Lazarus Group -- a threat actor widely believed to be sponsored by the North Korean government.

The two malware packages, referred to as HARDRAIN and BADCALL, can install a remote access tool (RAT) payload on Android devices, and force infected Windows systems to act as a proxy server, disguising their command-and-control communications to appear as if they are encrypted TLS/SSL (HTTPS) sessions.

According to the DHS and FBI, HARDRAIN is composed three malicious executable files. The first two are 32-bit, Windows-based dynamic link library (DLL) executables, which configure the Windows Firewall to allow incoming connections, thus allowing machines to function as proxies. Illicit communications are masked as HTTPS sessions by leveraging public certificates sourced from legitimate Internet services. In reality, however, the traffic is actually encrypted using an unidentified algorithm.

Accompanying these two DLL files is an Android-based Executable Linkable Format (ELF) file that connects to hard-coded Internet Protocol (IP) addresses and acts as a RAT program.

BADCALL is also composed of three separate files -- and as with HARDRAIN, the first two are Windows executables designed to disable the firewall (by modifying a registry key) and transform infected systems into proxy servers. They, too, disguise malicious C2 communications as encrypted HTTPS traffic, but in actuality they encrypt their activity using a rudimentary cipher (XOR/ADD and SUB/XOR, respectively).

The third file, meanwhile, is an Android Package Kit (APK) that, according to the BADCALL report, acts as a RAT program "capable of recording phone calls, taking screenshots using the device's embedded camera, reading data from the contact manager, and downloading and uploading data from the compromised Android device." It can also execute commands and scan for open Wi-Fi channels.