U.S intelligence agencies issued a critical alert for deadliest malware attacks in wide from the North Korean government-sponsored hackers ” HIDDEN COBRA” and targeting various government and private sectors.
Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) and other intelligence agencies joint operation identified the following malware variants used by the North Korean government.
- HOPLIGHT (update)
“Malware attributed to NorthKorea uploaded samples in Virustotal and this malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions.”
Experts discovered twenty malicious executable files from the HOPLIGHT malware, in which sixteen files are proxy applications that mask traffic between the malware and the remote operators.
Those proxy applications are used to generate the fake TLS handshake session with the help of public SSL certificates disguising network connections with remote malicious actors.
Once victims open the executable file, public SSL certificate and a payload of the file appear to be encoded with a password or key.
BISTROMATH malware drops the full future RAT implant executable and multiple versions of the CAgent11 GUI implant controller/builder.
It performs various malicious operations in the victim’s network including conducting system surveys, file upload/download, process and command execution, and monitoring the microphone, clipboard, and the screen.
SLICKSHOES samples observed as decodes and drop a file which is Themida-packed beaconing implant.
The dropped beaconing implant uses an indigenous network encoding algorithm and is capable of many features including conducting system surveys, file upload/download, process and command execution, and screen captures.
A Hidden Cobra APT malware with a full-featured beaconing implant that once infect the victim, it attempts to connect to a hardcoded C2 IP and then immediately sends it’s Victim Info.
The malware also developed to steal several sensitive data from the infected victim’s device by listening commands form the C2 server and also it performs dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings in an attempt to hide its the usage of network functions.
According to the report, This report looks at an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded url.
U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA and the malware download a loader once it drops the sample on the victim’s machine.
BUFFETLINE malware sample used PolarSSL for session authentication, but then utilizes a FakeTLS scheme for network encoding using a modified RC4 algorithm.
Attackers perform various malicious operations such as download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes, and perform target system enumeration in the successfully infected systems.
Security experts uncovered a themida packed 32-bit Windows executable that designed to unpack and execute a Remote Access Trojan (RAT) binary in memory.
Also, malware developed to listen as a proxy for incoming connections containing commands or can connect to a remote server to receive commands.
Also the users and administrators to review the Malware Analysis Reports for each malware variant and its indicators of compromise to added into the network defence software rules to protect from the infection.
Also, the organization is requested to following the security implementation:
• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).