The US- CERT has issued a technical alert warning of two pieces of malware that are said to be used by the North Korean government.

The alert issued by both the Department of Homeland Security and the Federal Bureau of Investigation refers to the prolific APT group known as Hidden Cobra which uses two pieces of malware: remote access Trojan (RAT) Joanap and SMB worm Bambul.

The US-CERT claims, “Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally in the United States- including media, aerospace, financial, and critical infrastructure sectors.” Joanap has been spotted by the US Government on 87 compromised network nodes in at least 17 different countries, including China, Spain, Sweden, India, Brazil, and Iran.

The malware is a fully functional RAT that’s capable of receiving multiple commands which can be issued remotely from a command and control server. The alert claims that “Joanap typically infects a system as a file dropped by other Hidden Cobra malware, which users unknowingly downloaded either when they visit sites compromised by Hidden Cobra actors, or when they open malicious email attachments.” The US- CERT adds that the malware operates secretly, moving laterally inside an infected network to any connected nodes.

Brambul, on the other hand, is a brute force authentication worm that spreads through SMB shares. SMBs allow for shared access to file between users on a network. US-CERT added that this malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.”

To combat this malware threat, the DHS recommends you take the following mitigation steps and best practices to protect your computer networks:

  1. Keep operating systems and software up-to-date with the latest patches
  2. Maintain up-to-date antivirus software, and scan all software downloaded from the internet
  3. Restrict users’ permissions to install and run unwanted software applications, and apply the principle of least privilege to all systems and services.
  4. Scan for and remove suspicious email attachments
  5. Disable Microsoft’s File and Printer Sharing service, if not required by the user’s organization. If this service is required, use strong passwords or Active Directory authentication.
  6. Enable a personal firewall on organization workstations and configure it to deny unsolicited connection requests.
The Most Powerful & Reliable Cybersecurity Products
Contact Us

USA Offices

New Net Technologies LLC
4850 Tamiami Trail, Suite 301
Naples, Florida, 34103

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]


UK Office

New Net Technologies Ltd
The Russell Building, West Common
Harpenden, Hertfordshire

Tel: 020 3917 4995
 [email protected]

SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2021, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.