The DHS Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation have released a report on six new or upgraded malware variants being used by North Korea.
The malware types included are Bistromath, Slickshoes, Crowdedflounder, Hotcroissant, Artfulpie, Buffetline and Hoplight. Hoplight is a previously recorded malware believed to be used by the North Korean cyberespionage group Hidden Cobra. All the new malware types are also used by Hidden Cobra, according to CISA.
Bistromath, also used by Hidden Cobra, is basically a full-featured RAT implant executable and multiple versions of the CAgent11 GUI implant controller/builder. It performs simple XOR network encoding and can conducting system surveys, file upload/download, process and command execution, can listen to audio microphone, view the clipboard and the screen. The GUI controllers allow interaction with the implant as well as the option to dynamically build new implants with customized options.
Slickshoes is a Themida-packed dropper that decodes and drops a file “C:\Windows\Web\taskenc.exe” which is a Themida-packed beaconing implant. This beacon does not execute the dropped file nor does it schedule any tasks to run the malware, instead it uses an indigenous network encoding algorithm to conducting system surveys, file upload/download, process and command execution and screen captures.
Crowdedflounder is a Themida-packed 32-bit Windows executable that can unpack and execute a RAT binary in memory. Other features include the ability to listen as a proxy for incoming connections containing commands or can connect to a remote server to receive commands.
Hotcroissant is another full-featured beaconing implant that performs a custom XOR network encoding and can conduct system surveys, upload and download files, process and command execution and perform screen captures.
Artfulpie is an implant that downloads data and handles in-memory loading and execution of a DLL from a hardcoded URL.
Buffetline is the third full featured implant listed. It uses PolarSSL for session authentication, but switches to a FakeTLS scheme for network encoding using a modified RC4 algorithm. The malware has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.