Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

U.S. Cyber Command Shares More North Korean Malware Variants

The United States Cyber Command (USCYBERCOM) has uploaded five malware samples to VirusTotal total today, which it has attributed to the North Korean threat group Lazarus.

The United States Cyber Command (USCYBERCOM) has uploaded five malware samples to VirusTotal total today, which it has attributed to the North Korean threat group Lazarus.

Since November 2018, USCYBERCOM has shared numerous malware samples as part of a project started by its Cyber National Mission Force (CNMF), including malicious files attributed to nation states from North Korea, Russia, and Iran

In September last year, it shared with the popular scanning engine 11 samples attributed to Lazarus, which the U.S. refers to as “Hidden Cobra.” 6 other samples were added in February this year. 

Today, USCYBERCOM shared five more files, four of which appear to have been created in 2018, and one dated 2017. 

These files are samples of three malware families that the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) are calling COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH. 

Two of the samples have high detection rates on VirusTotal, with more than 35 of the 71 antivirus engines recognizing them as malicious. One of the files appears to be a variant of Destover that was initially spotted in 2017.

COPPERHEDGE is the malware family that many security companies track as Manuscrypt, and which has been used in previous attacks on cryptocurrency exchanges and related entities.

A full-featured Remote Access Tool (RAT), Manuscrypt provides attackers with support for running arbitrary commands on the compromised machines, perform system reconnaissance, and exfiltrate data deemed of interest. 

Advertisement. Scroll to continue reading.

Analysis of network and code features has revealed the existence of six distinct variants of the malware, USCYBERCOM says. 

TAINTEDSCRIBE is described as a full-featured beaconing implant that is accompanied by its command modules. The malware can download/upload/delete/execute files, enable Windows CLI access, create/terminate processes, and enumerate the target system. 

“These samples uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator,” USCYBERCOM explains. 

PEBBLEDASH, another full-featured beaconing implant that also uses FakeTLS for session authentication, but uses RC4 for network encoding, has similar capabilities. 

The samples appear to share some code similarities that result in some detection engines identifying them as variants of the NukeSped RAT, something that was observed with previously shared malware samples as well. 

Related: USCYBERCOM Shares More North Korean Malware Samples

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...