The United States Cyber Command (USCYBERCOM) has uploaded five malware samples to VirusTotal total today, which it has attributed to the North Korean threat group Lazarus.
Since November 2018, USCYBERCOM has shared numerous malware samples as part of a project started by its Cyber National Mission Force (CNMF), including malicious files attributed to nation states from North Korea, Russia, and Iran.
In September last year, it shared with the popular scanning engine 11 samples attributed to Lazarus, which the U.S. refers to as “Hidden Cobra.” 6 other samples were added in February this year.
Today, USCYBERCOM shared five more files, four of which appear to have been created in 2018, and one dated 2017.
These files are samples of three malware families that the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) are calling COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH.
Two of the samples have high detection rates on VirusTotal, with more than 35 of the 71 antivirus engines recognizing them as malicious. One of the files appears to be a variant of Destover that was initially spotted in 2017.
COPPERHEDGE is the malware family that many security companies track as Manuscrypt, and which has been used in previous attacks on cryptocurrency exchanges and related entities.
A full-featured Remote Access Tool (RAT), Manuscrypt provides attackers with support for running arbitrary commands on the compromised machines, perform system reconnaissance, and exfiltrate data deemed of interest.
Analysis of network and code features has revealed the existence of six distinct variants of the malware, USCYBERCOM says.
TAINTEDSCRIBE is described as a full-featured beaconing implant that is accompanied by its command modules. The malware can download/upload/delete/execute files, enable Windows CLI access, create/terminate processes, and enumerate the target system.
“These samples uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator,” USCYBERCOM explains.
PEBBLEDASH, another full-featured beaconing implant that also uses FakeTLS for session authentication, but uses RC4 for network encoding, has similar capabilities.
The samples appear to share some code similarities that result in some detection engines identifying them as variants of the NukeSped RAT, something that was observed with previously shared malware samples as well.
Related: USCYBERCOM Shares More North Korean Malware Samples
Related: North Korean Hackers Release Mac Variant of Dacls RAT
Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
