Remote Attacks

North Korean government-backed hacker group traced as “HIDDEN COBRA” was found operating several malicious cyber activity campaigns, in which they used three new malware variants, according to the US government reports. 

Apart from this, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense (DoD) stated that “The North Korean government-backed hacker group, ‘HIDDEN COBRA’ used these variants of malware for phishing and remote access to carry illicit activities like stealing funds, evade sanctions, and much more.”

Moreover, the US government has also uploaded the five new malware samples associated with DPRK on the malware aggregation repository of VirusTotal. Apart from this, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have also released three Malware Analysis Reports (MARs):-

  • North Korean Remote Access Tool: COPPERHEDGE
  • North Korean Trojan: TAINTEDSCRIBE
  • North Korean Trojan: PEBBLEDASH

North Korean Remote Access Tool: COPPERHEDGE

COPPERHEDGE is the first malware variant of the North Korean government-backed hacker group, which is discovered by the US security agencies during this Malware Analysis investigation. This malware variant is represented as a Remote Access Tool (RAT), and this malware is used to target cryptocurrency exchanges and related entities.

Moreover, this RAT malware allows the advanced persistent threat (APT) cyber actors to perform system surveillance, execute arbitrary codes, run arbitrary commands, and much more to steal and extract confidential and essential data.

North Korean Trojan: TAINTEDSCRIBE

The U.S. Government security partners, DHS, FBI, and DoD, identified this variant as a trojan and named it as ‘TAINTEDSCRIBE.’ According to their reports, this variant allows the threat actors to keep secure their presence on the victim networks with the help of proxy servers to exploit the network.

Moreover, from a command and control (C2) server, this trojan, ‘TAINTEDSCRIBE’ downloads its command execution module through which it gets the full ability to perform certain key tasks like, download, upload, delete, execute files, create & end processes, enable Windows CLI access and much more.

That’s why to mitigate this situation and reduce their exposure to the North Korean government’s malicious cyber activities, the U.S. government security agencies, DHS, FBI, and DoD are constantly distributing this MAR (Malware Analysis Report).

North Korean Trojan: PEBBLEDASH

PEBBLEDASH is the last and the third variant, which is also identified as a trojan by the U.S. Government security partners, DHS, FBI, and DoD. And just like the ‘TAINTEDSCRIBE’, it also allows the threat actors to perform tasks like download, upload, delete, execute files, create & end processes, enable Windows CLI access, and much more.

In short, ‘PEBBLEDASH’ is a cloned version of North Korean Trojan, ‘TAINTEDSCRIBE’, it has all the abilities that TAINTEDSCRIBE offers. That’s why the U.S. government security agencies are constantly distributing this MAR (Malware Analysis Report) to reduce the impact of these three variants of North Korean malware.

Six other Malware Analysis Reports (MARs) of North Korean malware were also declared by the U.S. government in mid-February, and here they are:-

  • North Korean Trojan: BISTROMATH
  • North Korean Trojan: SLICKSHOES
  • North Korean Trojan: CROWDEDFLOUNDER
  • North Korean Trojan: HOTCROISSANT
  • North Korean Trojan: ARTFULPIE
  • North Korean Trojan: BUFFETLINE
  • North Korean Trojan: HOPLIGHT

The US security agencies, the FBI, and CISA in 2019 have already reported about another two variants of malware, known as ‘ELECTRICFISH’ and ‘HOPLIGHT’ trojan. These two variants were used by the North-Korean APT group Lazarus to steal data and mask malicious traffic.

So, what do you think about this? Simply share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Leave a Reply