Connect with us

Hi, what are you looking for?



U.S. Cyber Command Shares More North Korean Malware Variants

The United States Cyber Command (USCYBERCOM) has uploaded five malware samples to VirusTotal total today, which it has attributed to the North Korean threat group Lazarus.

The United States Cyber Command (USCYBERCOM) has uploaded five malware samples to VirusTotal total today, which it has attributed to the North Korean threat group Lazarus.

Since November 2018, USCYBERCOM has shared numerous malware samples as part of a project started by its Cyber National Mission Force (CNMF), including malicious files attributed to nation states from North Korea, Russia, and Iran

In September last year, it shared with the popular scanning engine 11 samples attributed to Lazarus, which the U.S. refers to as “Hidden Cobra.” 6 other samples were added in February this year. 

Today, USCYBERCOM shared five more files, four of which appear to have been created in 2018, and one dated 2017. 

These files are samples of three malware families that the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) are calling COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH. 

Two of the samples have high detection rates on VirusTotal, with more than 35 of the 71 antivirus engines recognizing them as malicious. One of the files appears to be a variant of Destover that was initially spotted in 2017.

COPPERHEDGE is the malware family that many security companies track as Manuscrypt, and which has been used in previous attacks on cryptocurrency exchanges and related entities.

Advertisement. Scroll to continue reading.

A full-featured Remote Access Tool (RAT), Manuscrypt provides attackers with support for running arbitrary commands on the compromised machines, perform system reconnaissance, and exfiltrate data deemed of interest. 

Analysis of network and code features has revealed the existence of six distinct variants of the malware, USCYBERCOM says. 

TAINTEDSCRIBE is described as a full-featured beaconing implant that is accompanied by its command modules. The malware can download/upload/delete/execute files, enable Windows CLI access, create/terminate processes, and enumerate the target system. 

“These samples uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator,” USCYBERCOM explains. 

PEBBLEDASH, another full-featured beaconing implant that also uses FakeTLS for session authentication, but uses RC4 for network encoding, has similar capabilities. 

The samples appear to share some code similarities that result in some detection engines identifying them as variants of the NukeSped RAT, something that was observed with previously shared malware samples as well. 

Related: USCYBERCOM Shares More North Korean Malware Samples

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...