The US- CERT has issued a technical alert warning of two pieces of malware that are said to be used by the North Korean government.
The alert issued by both the Department of Homeland Security and the Federal Bureau of Investigation refers to the prolific APT group known as Hidden Cobra which uses two pieces of malware: remote access Trojan (RAT) Joanap and SMB worm Bambul.
The US-CERT claims, “Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally in the United States- including media, aerospace, financial, and critical infrastructure sectors.” Joanap has been spotted by the US Government on 87 compromised network nodes in at least 17 different countries, including China, Spain, Sweden, India, Brazil, and Iran.
The malware is a fully functional RAT that’s capable of receiving multiple commands which can be issued remotely from a command and control server. The alert claims that “Joanap typically infects a system as a file dropped by other Hidden Cobra malware, which users unknowingly downloaded either when they visit sites compromised by Hidden Cobra actors, or when they open malicious email attachments.” The US- CERT adds that the malware operates secretly, moving laterally inside an infected network to any connected nodes.
Brambul, on the other hand, is a brute force authentication worm that spreads through SMB shares. SMBs allow for shared access to file between users on a network. US-CERT added that this malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.”
To combat this malware threat, the DHS recommends you take the following mitigation steps and best practices to protect your computer networks:
- Keep operating systems and software up-to-date with the latest patches
- Maintain up-to-date antivirus software, and scan all software downloaded from the internet
- Restrict users’ permissions to install and run unwanted software applications, and apply the principle of least privilege to all systems and services.
- Scan for and remove suspicious email attachments
- Disable Microsoft’s File and Printer Sharing service, if not required by the user’s organization. If this service is required, use strong passwords or Active Directory authentication.
- Enable a personal firewall on organization workstations and configure it to deny unsolicited connection requests.