The Department of Justice is attempting to disrupt the North Korean operated Joanap botnet by creating a roadmap of computers infected with the malware and then notifying those affected to the infected computer can be removed from the botnet.
To try and defeat the Joanap botnet a court order was requested and received allowing the FBI and the U.S. Air Force Office of Special Investigations (AFOSI) to set up honeypots that mimicked being part of the botne, the DOJ said in a statement. With these in place researchers were able to collect limited identifying and technical information about other peers infected with Joanap, such as IP addresses, port numbers, and connection timestamps. This information allowed the FBI and AFOSI to build a map of the current Joanap botnet of infected computers.
The information gleaned from the Joanap botnet computers will be used to identify computers in the botnet and then with the help of ISPs provide personal notification to victims whose computers are not behind a router or a firewall. In the case of computers in foreign countries, U.S. authorities will work through the FBI’s Legal Attachés in that nation to notify the owners.
The plan stems from criminal conspiracy charges unsealed in September 2018 against North Korean national Park Jin Hyok who the DOJ said was part of a North Korean-government backed campaign that infected computers with the Brambul malware variant. Once ensconced in a computer Brambul delivers a second payload containing the Joanap botnet malware.
“Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution,” said Assistant Attorney General for National Security John Demers.
Joanap, which has operated since 2009, specifically targets computers running Microsoft Windows, but can be defeated through the use of basic antivirus solutions.