Threat Management, Threat Management, Threat Intelligence, Malware

FBI, DHS share intel on RAT and worm linked to North Korea


The FBI and Department of Homeland Security on Tuesday jointly released a pair of technical alerts via the US-CERT, warning of two malware families dating back to at least 2009 that they say are tied to the suspected North Korea-sponsored APT group Hidden Cobra.

Referencing intel from unnamed third parties and U.S. government analysis, the alerts share data on the remote access tool (RAT) Joanap and the Server Message Block-based (SMB) worm Brambul, including technical details, IP addresses and indicators of compromise.

Additionally, the agencies are collectively reporting that Joanap and Brambul have been used against both U.S.-based and global targets, including the media, aerospace, financial and critical infrastructure sectors. Successful attacks can result in loss of sensitive information, operational disruption and financial losses.

One alert describes Joanap as a two-stage, fully-functional RAT that Hidden Cobra (aka Lazarus Group) can use "to establish peer-to-peer communications and to manage botnets designed to enable other operations," giving them "the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device."

The malware, which typically infects hosts via droppers or compromised websites, uses Rivest Cipher 4 encryption to keep its C&C communications secret, and creates a log entry in the Windows System Directory to store stolen victim information, the alert continues.

Aided by unnamed third parties, government investigators found Joanap on 87 compromised network nodes with IP addresses in Argentina, Belgium, Brazil, Cambodia, China, Colombia, Egypt, India, Iran, Jordan, Pakistan, Saudi Arabia, Spain, Sri Lanka, Sweden, Taiwan and Tunisia.

Meanwhile, the alert describes Brambul as a 32-bit service dynamic link library file or a portable executable file that spreads by using hard-coded login credentials to brute-force its way past the authentication mechanism for SMB shares that allow users on the same network to access files.

As its propagates itself throughout an organization, Brambul communicates data about each infected system -- including IP addresses, host names, usernames and passwords -- that the Hidden Cobra actors can use to remotely access compromised machines via the SMB protocol.

Through the alerts, U.S. officials also warned about two related malicious files used in conjunction with the main Joanap and Brambul payloads, including a malicious backdoor installer and an alternative SMB-based worm that works on 32-bit devices.

In comments emailed to SC Media, Rishi Bhargava, co-founder at Demisto, a security automation and response technology provider, praised the alerts as a "fantastic example of US-CERT sharing good, detailed information with the entire security community so that we can respond appropriately. Effective information sharing can help us to respond faster and more effectively."

The joint announcement comes at a potentially touchy time, however, as the Trump administration seeks to negotiate a denuclearization deal with the unpredictable North Korean regime, which often accuses the U.S. of engaging in acts of provocation. The U.S. last released a malware analysis report via the US-CERT on Mar. 28, when the FBI and DHS published an analysis of the Trojan malware variant SHARPKNOT.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.