Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

DHS, FBI Share Details of North Korea’s ‘Typeframe’ Malware

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published another report on the US-CERT website detailing a piece of malware allegedly used by the North Korean government.

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published another report on the US-CERT website detailing a piece of malware allegedly used by the North Korean government.

A dozen reports have been published by the DHS and the FBI over the past year on the North Korea-linked threat group tracked by the U.S. government as Hidden Cobra. The list of tools detailed by the agencies includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

The latest report describes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples related to the threat, including executable files and malicious Word documents containing VBA macros.Typeframe malware used by North Korea detailed by FBI and DHS

“These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections,” the agencies said.

The alert contains indicators of compromise (IoCs) for each of the files, including a description of their functionality, hashes, IPs, antivirus detections, metadata, and YARA rules.

The goal of the report is to “enable network defense and reduce exposure to North Korean government malicious cyber activity.” However, security experts argued in the past that these types of alerts from government agencies are actually not enough to help improve defenses.

The previous Hidden Cobra report, published on the US-CERT website in late May, attributed the Joanap backdoor trojan and the Brambul worm to the North Korean government.

While it has always denied accusations, experts say North Korea continues to be highly active in cyberspace, with some claiming that the country is even more aggressive than China. Recent attacks attributed to North Korea involved new malware and even zero-day vulnerabilities.

Related: North Korean Hacking Group APT37 Expands Targets

Related: Trend Micro Scan Engine Used by North Korea’s SiliVaccine Antivirus

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona