US government goes all in to expose new malware used by North Korean hackers

EnlargeJung Yeon-Je/Getty Images

The US Pentagon, the FBI, and the Department of Homeland Security on Friday exposed a North Korean hacking operation and provided technical details for seven pieces of malware used in the campaign.

The US Cyber National Mission Force, an arm of the Pentagons US Cyber Command, said on Twitter that the malware is “currently used for phishing & remote access by [North Korean government] cyber actors to conduct illegal activity, steal funds & evade sanctions.” The tweet linked to a post on VirusTotal, the Alphabet-owned malware repository, that provided cryptographic hashes, file names, and other technical details that can help defenders identify compromises inside the networks they protect.

Malware attributed to #NorthKorea by @FBI_NCIJTF just released here: This malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. #HappyValentines @CISAgov @DHS @US_CYBERCOM

— USCYBERCOM Malware Alert (@CNMF_VirusAlert) February 14, 2020

An accompanying advisory from the DHSs Cybersecurity and Infrastructure Security Agency said the campaign was the work of Hidden Cobra, the governments name for a hacking group sponsored by the North Korean Government. Many security researchers in the private sector use other names for the group, including Lazarus and Zinc. Six of the seven malware families were uploaded to VirusTotal on Friday. They included:

  • Bistromath, a full-featured remote access trojan and implant that performs system surveys, file uploads and downloads, process and command executions, and monitoring of microphones, clipboards, and screens
  • Slickshoes, a “dropper” that loads, but doesnt actually execute, a “beaconing implant” that can do many of the same things Bistromath does
  • Hotcroissant, a full-featured beaconing implant that also does many of the same things listed above
  • Artfulpie, an “implant that performs downloading and in-memory loading and execution of DLL files from a hardcoded url”
  • Buttetline, another full-featured implant, but this one uses fake a fake HTTPS scheme with a modified RC4 encryption cipher to remain stealthy
  • Crowdedflounder, a Windows executable thats designed to unpack and execute a Remote Access Trojan into computer memory

But wait… theres more

Fridays advisory from the Cybersecurity and Infrastructure Security Agency also provided additional details for the previously disclosed Hoplight, a family of 20 files that act as a proxy-based backdoor. None of the malware contained forged digital signatures, a technique thats standard among more advanced hacking operations that makes it easier to bypass endpoint security protections.

Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, posted an image on Twitter that showed the relationship between the malware detailed on Friday with malicious samples the Moscow-based security firm has identified in other campaigns attributed to Lazarus.

EnlargeKaspersky Lab

Fridays joint advisory is part of a relatively new approach by the federal government to publicly identify foreign-based hackers and the campaigns they carRead More – Source