U.S. Government Warns of North Korean APT Malware

The US- CERT has issued a technical alert warning of two pieces of malware that are said to be used by the North Korean government.

The alert issued by both the Department of Homeland Security and the Federal Bureau of Investigation refers to the prolific APT group known as Hidden Cobra which uses two pieces of malware: remote access Trojan (RAT) Joanap and SMB worm Bambul.

The US-CERT claims, “Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally in the United States- including media, aerospace, financial, and critical infrastructure sectors.” Joanap has been spotted by the US Government on 87 compromised network nodes in at least 17 different countries, including China, Spain, Sweden, India, Brazil, and Iran.

The malware is a fully functional RAT that’s capable of receiving multiple commands which can be issued remotely from a command and control server. The alert claims that “Joanap typically infects a system as a file dropped by other Hidden Cobra malware, which users unknowingly downloaded either when they visit sites compromised by Hidden Cobra actors, or when they open malicious email attachments.” The US- CERT adds that the malware operates secretly, moving laterally inside an infected network to any connected nodes.

Brambul, on the other hand, is a brute force authentication worm that spreads through SMB shares. SMBs allow for shared access to file between users on a network. US-CERT added that this malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.”

To combat this malware threat, the DHS recommends you take the following mitigation steps and best practices to protect your computer networks:

  1. Keep operating systems and software up-to-date with the latest patches
  2. Maintain up-to-date antivirus software, and scan all software downloaded from the internet
  3. Restrict users’ permissions to install and run unwanted software applications, and apply the principle of least privilege to all systems and services.
  4. Scan for and remove suspicious email attachments
  5. Disable Microsoft’s File and Printer Sharing service, if not required by the user’s organization. If this service is required, use strong passwords or Active Directory authentication.
  6. Enable a personal firewall on organization workstations and configure it to deny unsolicited connection requests.
Cloud and Container Security
The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
Information
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.