Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

U.S. Details North Korean Malware Used in Attacks on Defense Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have shared details on a piece of malware North Korean threat actors likely used in attacks targeting employees of defense organizations in Israel and other countries.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have shared details on a piece of malware North Korean threat actors likely used in attacks targeting employees of defense organizations in Israel and other countries.

Dubbed BLINDINGCAN, the malware was apparently used in “Dream Job,” a campaign active since the beginning of this year, which hit dozens of defense and governmental companies in Israel and globally by targeting specific employees with highly appealing job offerings.

According to U.K. cybersecurity firm ClearSky, the operation appears to have been the main offensive campaign orchestrated by the North Korea-linked threat group Lazarus in 2020. Previously, the Israeli defense ministry claimed to have successfully prevented the attacks.

Also referred to as Hidden Cobra, Lazarus has been involved in numerous high profile attacks, such as the WannaCry outbreak in 2017, the $81 million Bangladesh bank theft, or the recent attacks on crypto-currency exchanges.

Over the past couple of years, the United States Cyber Command (USCYBERCOM) has shared various malware samples associated with the group, but only a malware analysis report (MAR) has been published for the BLINDINGCAN remote access Trojan (RAT).

The malware, the two agencies reveal, can collect various types of information on the victim system, including OS and processor details, system name, local IP information, and MAC address, and also provides attackers with remote capabilities, such as the ability to retrieve information on available disks, manipulate processes, files and directories, execute code, and erase itself.

The report reveals that the HIDDEN COBRA actors “are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.” Moreover, the FBI and CISA reveal that North Korean hackers have been observed targeting government contractors this year, to harvest data on military and energy technologies.

“The malicious documents employed in this campaign used job postings from leading defense contractors as lures and installed a data gathering implant on a victim’s system. This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim’s system,” the report reads.

Advertisement. Scroll to continue reading.

The MAR was released after the analysis of two DLLs and four DOCX files. The documents would attempt to fetch a payload from an external domain, while a DLL was observed unpacking and executing a variant of the Hidden Cobra RAT.

In their report, CISA and the FBI also included a series of recommendations on how system admins can improve security and keep systems protected, such as ensuring that machines and applications are kept up to date, applying best practices when it comes to email attachments, user permissions, and removable drives, and enforcing a strong password policy.

Related: UK Cybersecurity Firm Says North Korean Attacks on Israel Successful

Related: Multi-Platform Malware Framework Linked to North Korean Hackers

Related: Several New Mac Malware Families Attributed to North Korean Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...