Joanap Backdoor Trojan and Brambul SMB Worm

A new US-CERT Technical Alert (TA) warned cyber actors are using Joanap and Brambul malware to target multiple victims worldwide.

According to the analysis performed by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), the malware has been used since at least 2009 and has targeted victims in the media, aerospace, financial, and critical infrastructure sectors. 

The indicators of compromise (IOCs) appear to be associated with two families of malware used by the North Korean government.

The first malware identified, Joanap, is a remote access tool (RAT) “that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments,” according to the alert. 

The U.S. Government also identified 87 compromised network nodes as part of analysis of the infrastructure used by Joanap malware.

The second malware, Brambul, is a Server Message Block (SMB) worm. Brambul spreads through SMB shares as a brute-force authentication worm.

“SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks,” US-CERT warned. 

DHS also provided mitigation guidance organizations can employ to combat the Joanap and Brambul threat, such as: 

  • Keep OS and software patched and up-to-date. 
  • Maintain up-to-date antivirus software (and scan downloaded software for malware before executing)
  • Restrict users’ permissions to install/run unwanted software and apply “least privilege.” 
  • Scan for and remove suspicious email attachments (and use caution when opening email attachments).
  • Follow safe practices when browsing the web. 
  • Disable Microsoft’s File and Printer Sharing service, if not required by the user’s organization. 
  • Enable a personal firewall on organization workstations and configure it to deny unsolicited connection requests.

Read the entire advisory alert for more details on the threat and mitigation guidance.