US Govt Updates Info on North Korean Malware
by Sergiu GatlanThe Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released new info on North Korean malware with six new and updated Malware Analysis Reports (MARs) related to malicious cyber activity from North Korea.
Each of these MARs is designed to provide organizations with detailed malware analysis information acquired via manual reverse engineering.
They are also issued to help network defenders to detect and reduce exposure to HIDDEN COBRA malicious cyber activity as the U.S. government refers to North Korean government malicious activity.
Users and administrators are urged by CISA to carefully review the seven MARs released today:
- AR20-045A — BISTROMATH (a full-featured RAT)
- AR20–045B — SLICKSHOES (Themida-packed malware dropper)
- AR20-045C — CROWDEDFLOUNDER (Remote Access Trojan loader)
- AR20-045D — HOTCROISSANT (beaconing implant with backdoor capabilities)
- AR20-045E — ARTFULPIE (loads and executes a DLL from a hardcoded URL)
- AR20-045F — BUFFETLINE (beaconing implant with backdoor features)
- AR20-045G — HOPLIGHT (backdoor Trojan)
"The information contained in these most recent seven (7) MARs, as well as the previous work linked below, is the result of analytic efforts between the U.S. Department of Homeland Security (DHS), the U.S. Department of Defense (DOD), and the FBI to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government," CISA explains.
Each MAR comes with detailed "malware descriptions, suggested response actions, and recommended mitigation techniques."
US Cyber Command also uploaded malware samples to VirusTotal, saying that "this malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions."
Cyber National Mission Force "enables whole-of-government efforts to ID #NorthKorea cyber activities, including #DPRK malware that exploits financial institutions, conducts espionage & enables #cyber attacks against US & partners."
During 2019, CISA and the FBI have also released joint MARs on a malware strain dubbed ELECTRICFISH and used by the North-Korean APT group Lazarus to collect and steal data from victims, as well as on the Lazarus HOPLIGHT Trojan whose MAR was updated today.
CISA advises organizations to follow these best practices to strengthen their security posture:
• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Additional info on how to prevent malware infections can be found in the Guide to Malware Incident Prevention and Handling for Desktops and Laptops provided by the National Institute of Standards and Technology (NIST).
More information regarding HIDDEN COBRA activity in the form of previous alerts and MARs released via the National Cyber Awareness System are available here.