Hidden Cobra APT Hackers Attack Japanese Organisations Via Obfuscation Malware & Remote SMB Tool

Recently, the hidden cobra APT threat actors attacked Japanese organizations through obfuscation malware. This malware downloads and administers all the modules, and then it’s saved as a .drv file in a folder like C:¥Windows¥System32¥ and operate as assistance.

Hidden Cobra is also known as Lazarus is a North Korean APT hacker group that has been involved with various high profile cyber-attacks various government and private sectors around the globe since 2009.

Malware Obfuscation

It is a method that advances textual and binary data tough to concede, and it benefits the threat actors to hide all critical strings; It is a program that exhibits patterns of malware’s behavior. Such type of strings would be signed as keys and infected URLs. While in this case, the threat actors used VMProtect to obfuscate the service.

In this type of malware, the adversaries use encryption/encoding methods to hide all the data from the security programs. And in some cases, the advisories go a step further and practices some special tools named “packers” to obfuscate the whole program, which makes backward planning and interpretation much more complicated.

Where configuration stored?

The configuration of this malware (size: 0x6DE) is encrypted and collected in a registry record and arranged when performed. In this analysis, it was confirmed that the configuration is collected at the resulting directory:-

Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceseventlogApplication

Acccording to the jpcert report , All the strings in the malware are encrypted along with AES128, and that’s why the encryption key is hardcoded in this type of malware. Moreover, the Windows API title is also AES-encrypted. Later, when it decrypts the API strings, the address for the APIs that are named by LoadLibrary and GetProcAddress are determined.

C&C server communication

From the below image, you can see the proper chain of communication from the initial point of its communication with a C&C server until it’s downloading a module.

Module downloaded 

When the module gets downloaded, then it performs some main functions just as obtaining commands from C&C servers; And there are seven operations are performed by the module that are mentioned below:-

  • Operation on files (create a list, delete, copy, modify time created)
  • Operation on processes (create a list, execute, kill)
  • Upload/download files
  • Create and upload a ZIP file of an arbitrary directory
  • Execute arbitrary shell command
  • Obtain disk information
  • Modify system time

Apart from this, the security experts are still investigating the activities that are performed by Lazarus, and many different organizations who have proclaimed it. The experts also claimed that this type of attack are perceived in multiple countries. If it doesn’t get a fix soon, then this kind of similar attack will occur again in Japan.

Finally, attackers spread the infection and leveraging account information with help of the Python tool “SMBMAP” which allows access to the remote host via SMB after converting it as a Windows PE file with Pyinstaller.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Iranian Charming Kitten APT Hackers Deploying Malware via WhatsApp Messages

Rent a Hacker: Russian APT group “RedCurl” Attack Corporate Network to steal Commercial documents

Chinese APT Hackers Attack India & Hong Kong Using a New Malware to Steal Sensitive Data Remotely

APT Hackers Group Carefully Deploy Evilnum Malware Toolkit on Financial Sectors via Google Drive

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.