Security Experts:

U.S. Takes Aim at North Korea's Joanap Botnet

U.S. Government Announces Initiative to Disrupt Joanap Botnet Associated With North Korean Regime 

The U.S. Justice Department announced Wednesday that it is working on taking down the Joanap botnet. Using court orders and search warrants, the FBI and the U.S. Air Force Office of Special Investigations (AFOSI) established servers that mimic peers in the botnet's decentralized peer-to-peer communication system, allowing them to collect information on infected computers.

The FBI is using this information to contact U.S. victims either directly or via their ISP. For foreign victims, the U.S. government is contacting the host country's own government and by using the FBI's Legal Attaches.

Joanap has been around since 2009 and is easily controlled by the latest version of Windows and up-to-date anti-virus controls. However, it still spreads through unprotected networks using a second malware, Brambul. Brambul is an SMB worm that spreads through a network by brute-forcing SMB shares using a list of hard-coded login credentials.

In May 2018, the government attributed Joanap and Brambul to Hidden Cobra -- the name used by the government for the North Korean government group known to most researchers as Lazarus. The malware has been used to target the media, aerospace, financial, and critical infrastructure sectors both in the United States and around the world. Included in this US-CERT alert are links to csv and stix files containing relevant IOCs.

The attacks against Sony Pictures Entertainment, Bangladesh's central bank and various financial organizations, and the WannaCry outbreak have all been attributed to Lazarus.

Joanap is a remote access trojan (RAT) able to receive multiple commands issued by Hidden Cobra. It provides the attackers with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device.

Brambul is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file. It communicates information about victims' systems to Hidden Cobra using malicious email addresses.

"Computers around the world remain infected by a botnet associated with the North Korean Regime," said Assistant Attorney General John Demers. "Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department's efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution."

ADIC Paul Delacourt added, "Through technical means and legal process, the FBI continually seeks to disrupt the malicious cyber activities of North Korean cybercriminals, as in this case, and all cyber actors who pose a threat to the United States and our international partners."

While this is an example of the U.S. government using technical means against foreign hackers, in June 2018 the FBI filed a complaint against North Korean citizen, Park Jin Hyok as a member of Lazarus. Joanap is not mentioned in the complaint; but Brambul gets extensive coverage. "The subjects of the investigation," it says, "have repeatedly used as hop points particular computers that were compromised by a piece of malware known as the "Brambul" worm that crawls from computer to computer, trying to infect computers."

Joanap, says the statement from the Department of Justice, targets Microsoft Windows operating systems, but running Windows Defender and using Windows Update will remediate and prevent infections by Joanap. Several free and paid antivirus programs are also already capable of detecting and removing Joanap and Brambul, including the Microsoft Safety Scanner, a free product.

Related: North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools 

Related: Malware Attacks on Polish Banks Linked to Lazarus Group 

Related: North Korea-linked Hackers Stole $13.5 Million From Cosmos Bank 

Related: North Korean Hackers Hit Cryptocurrency Exchange with macOS Malware 

Related: Kaspersky Links Global Cyber Attacks to North Korea 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.