Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

U.S. Attributes Two More Malware Families to North Korea

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra.

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra.

The latest alert attributes the Joanap backdoor trojan and the Brambul worm to the North Korean government. It provides IP addresses and other indicators of compromise (IoC) associated with these threats in an effort to help organizations protect their networks against attacks.

The threat actor tracked by the U.S. government as Hidden Cobra is known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including ones targeting Sony Pictures, Bangladesh’s central bank and various financial organizations. Some of the group’s campaigns are tracked as Operation BlockbusterDark Seoul and Operation Troy. Five Eyes countries have also officially blamed Lazarus for the WannaCry attack.US government shares details on Joanap and Brambul malware used by North Korea

According to the DHS and FBI, Joanap and Brambul have been used by Hidden Cobra since at least 2009 in attacks aimed at organizations in the United States and elsewhere, including in the media, financial, aerospace and critical infrastructure sectors.

Joanap is a two-stage malware that allows hackers to exfiltrate data and install other threats on the system.

Brambul is a worm that abuses the Server Message Block (SMB) protocol to spread to other systems through dictionary attacks. Its list of capabilities also includes harvesting system information (which it sends to the attackers via email), accepting command-line arguments, and executing what analysts call a “suicide script.”

The DHS and the FBI have published several alerts in the past year describing Hidden Cobra tools, including Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

North Korea has been blamed for several major attacks, but Pyongyang has always denied the accusations. On the other hand, threat actors linked to North Korea don’t seem to be deterred by accusations and the numerous reports published in the past years by cybersecurity companies, and they continue launching attacks, including with new tools and zero-day exploits.

Advertisement. Scroll to continue reading.

Related: Watering Hole Attack Exploits North Korea’s Flash Flaw

Related: North Korea Cyber Threat ‘More Aggressive Than China’

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...