The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released six new malware reports on malicious cyber activity from North Korea.
The U.S. Government refers to North Korean government sponsored malicious cyber activity as HIDDEN COBRA.
The CISA and FBI released the new Malware Analysis Reports (MARs) and updated another MAR on February 14, 2020.
“Each MAR is designed to enable network defenders to identify and reduce exposure to North Korean government malicious cyber activity,” CISA noted in the advisory.
See below for a brief description of each of the seven North Korean malware variants (and link to each of the CISA reports).
BISTROMATH
Description: “This report looks at multiple versions of a full-featured RAT implant executable and multiple versions of the CAgent11 GUI implant controller/builder. These samples performs simple XOR network encoding and are capable of many features including conducting system surveys, file upload/download, process and command execution, and monitoring the microphone, clipboard, and the screen. The GUI controllers allow interaction with the implant as well as the option to dynamically build new implants with customized options. The implants are loaded with a trojanized executable containing a fake bitmap which decodes into shellcode which loads the embedded implant.”
SLICKSHOES
Description: “This sample is a Themida-packed dropper that decodes and drops a file ‘C:\Windows\Web\taskenc.exe’ which is a Themida-packed beaconing implant. The beaconing implant does not execute the dropped file nor does it schedule any tasks to run the malware. The dropped beaconing implant uses an indigenous network encoding algorithm and is capable of many features including conducting system surveys, file upload/download, process and command execution, and screen captures.”
CROWDEDFLOUNDER
Description: “This report analyzes a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory. This application is designed to accept arguments during execution or can be installed as a service with command line arguments. It is designed to listen as a proxy for incoming connections containing commands or can connect to a remote server to receive commands.”
HOTCROISSANT
Description: “This report looks at a full-featured beaconing implant. This sample performs a custom XOR network encoding and is capable of many features including conducting system surveys, file upload/download, process and command execution, and performing screen captures.”
ARTFULPIE
Description: “This report looks at an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded url.”
BUFFETLINE
Description: “This report looks at a full-featured beaconing implant. This sample uses PolarSSL for session authentication, but then utilizes a FakeTLS scheme for network encoding using a modified RC4 algorithm. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”
HOPLIGHT (updated)
Description: “This report provides analysis of twenty malicious executable files. Sixteen of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP addresses and SSL certificates.”
Each of the above reports include Indicators of compromise (IoC), sample trojan details and suggested mitigations to prevent malware incidents.