The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have identified Trojan malware variants, HARDRAIN and BADCALL, used by the North Korean government.
The North Korean government malicious cyber activity is referred to by the U.S. government as HIDDEN COBRA.
As part of the NCCIC/US-CERT alert, analysis and technical details on the tools and infrastructure used by cyber actors of the North Korean government were revealed. The purpose of the report is to provide network defenders the details needed to help reduce exposure to HIDDEN COBRA cyber activity.
A brief excerpt of the malware described in each of the Malware Analysis Reports (MARs):
“This report provides analysis of three (3) malicious executable files. The first two (2) files are 32-bit Windows executables that function as proxy servers and implement a ‘Fake TLS’ method similar to the behavior described in a previously published NCCIC report, MAR-10135536-B. The third file is an Android Package Kit (APK) file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT).”
A MAR is intended to provide detailed code analysis and insight into specific tactics, techniques, and procedures (TTPs) observed in the malware.