The US- CERT has issued a technical alert warning of two pieces of malware that are said to be used by the North Korean government.

The alert issued by both the Department of Homeland Security and the Federal Bureau of Investigation refers to the prolific APT group known as Hidden Cobra which uses two pieces of malware: remote access Trojan (RAT) Joanap and SMB worm Bambul.

The US-CERT claims, “Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally in the United States- including media, aerospace, financial, and critical infrastructure sectors.” Joanap has been spotted by the US Government on 87 compromised network nodes in at least 17 different countries, including China, Spain, Sweden, India, Brazil, and Iran.

The malware is a fully functional RAT that’s capable of receiving multiple commands which can be issued remotely from a command and control server. The alert claims that “Joanap typically infects a system as a file dropped by other Hidden Cobra malware, which users unknowingly downloaded either when they visit sites compromised by Hidden Cobra actors, or when they open malicious email attachments.” The US- CERT adds that the malware operates secretly, moving laterally inside an infected network to any connected nodes.

Brambul, on the other hand, is a brute force authentication worm that spreads through SMB shares. SMBs allow for shared access to file between users on a network. US-CERT added that this malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.”

To combat this malware threat, the DHS recommends you take the following mitigation steps and best practices to protect your computer networks:

  1. Keep operating systems and software up-to-date with the latest patches
  2. Maintain up-to-date antivirus software, and scan all software downloaded from the internet
  3. Restrict users’ permissions to install and run unwanted software applications, and apply the principle of least privilege to all systems and services.
  4. Scan for and remove suspicious email attachments
  5. Disable Microsoft’s File and Printer Sharing service, if not required by the user’s organization. If this service is required, use strong passwords or Active Directory authentication.
  6. Enable a personal firewall on organization workstations and configure it to deny unsolicited connection requests.
NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
NNT logo New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
email [email protected]
UK Office
NNT logo New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2020, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.