Security Experts:

U.S. Attributes Two More Malware Families to North Korea

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra.

The latest alert attributes the Joanap backdoor trojan and the Brambul worm to the North Korean government. It provides IP addresses and other indicators of compromise (IoC) associated with these threats in an effort to help organizations protect their networks against attacks.

The threat actor tracked by the U.S. government as Hidden Cobra is known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including ones targeting Sony Pictures, Bangladesh’s central bank and various financial organizations. Some of the group’s campaigns are tracked as Operation BlockbusterDark Seoul and Operation Troy. Five Eyes countries have also officially blamed Lazarus for the WannaCry attack.US government shares details on Joanap and Brambul malware used by North Korea

According to the DHS and FBI, Joanap and Brambul have been used by Hidden Cobra since at least 2009 in attacks aimed at organizations in the United States and elsewhere, including in the media, financial, aerospace and critical infrastructure sectors.

Joanap is a two-stage malware that allows hackers to exfiltrate data and install other threats on the system.

Brambul is a worm that abuses the Server Message Block (SMB) protocol to spread to other systems through dictionary attacks. Its list of capabilities also includes harvesting system information (which it sends to the attackers via email), accepting command-line arguments, and executing what analysts call a “suicide script.”

The DHS and the FBI have published several alerts in the past year describing Hidden Cobra tools, including Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

North Korea has been blamed for several major attacks, but Pyongyang has always denied the accusations. On the other hand, threat actors linked to North Korea don’t seem to be deterred by accusations and the numerous reports published in the past years by cybersecurity companies, and they continue launching attacks, including with new tools and zero-day exploits.

Related: Watering Hole Attack Exploits North Korea's Flash Flaw

Related: North Korea Cyber Threat 'More Aggressive Than China'

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.