Threat Management, Threat Management, Threat Intelligence, Malware

Hidden Cobra malware infects Android devices with RAT, turns Windows machines into proxies

The Department of Homeland Security (DHS) and FBI on Tuesday jointly released two new reports analyzing trojan malware attributed to Hidden Cobra, aka Lazarus Group -- a threat actor widely believed to be sponsored by the North Korean government.

The two malware packages, referred to as HARDRAIN and BADCALL, can install a remote access tool (RAT) payload on Android devices, and force infected Windows systems to act as a proxy server, disguising their command-and-control communications to appear as if they are encrypted TLS/SSL (HTTPS) sessions.

According to the DHS and FBI, HARDRAIN is composed three malicious executable files. The first two are 32-bit, Windows-based dynamic link library (DLL) executables, which configure the Windows Firewall to allow incoming connections, thus allowing machines to function as proxies. Illicit communications are masked as HTTPS sessions by leveraging public certificates sourced from legitimate Internet services. In reality, however, the traffic is actually encrypted using an unidentified algorithm.

Accompanying these two DLL files is an Android-based Executable Linkable Format (ELF) file that connects to hard-coded Internet Protocol (IP) addresses and acts as a RAT program.

BADCALL is also composed of three separate files -- and as with HARDRAIN, the first two are Windows executables designed to disable the firewall (by modifying a registry key) and transform infected systems into proxy servers. They, too, disguise malicious C2 communications as encrypted HTTPS traffic, but in actuality they encrypt their activity using a rudimentary cipher (XOR/ADD and SUB/XOR, respectively).

The third file, meanwhile, is an Android Package Kit (APK) that, according to the BADCALL report, acts as a RAT program "capable of recording phone calls, taking screenshots using the device's embedded camera, reading data from the contact manager, and downloading and uploading data from the compromised Android device." It can also execute commands and scan for open Wi-Fi channels.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.