Story image

United States hot on heels of North Korea's Hidden Cobra malware

19 Feb 2018

The United States Computer Emergency Readiness Team (US-CERT) is honing in on the North Korean Government’s cyber espionage activities known as HIDDEN COBRA, which have been operational since at least 2009.

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have been working together to understand the North Korean Government’s cyber activities.

Since 2009, Hidden Cobra actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace,” US-CERT states in an alert from June 2017.

“Tools and capabilities used by Hidden Cobra actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman.”

“Hidden Cobra actors commonly target systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.”

In a malware analysis report of the HARDRAIN Trojan from earlier this month, US CERT explicitly states that the FBI is highly confident that the Hidden Cobra actors are using malware and proxy servers to squat and exploit victims’ networks.

The latest techniques involve Windows executable files that function as proxy servers and implement ‘Fake TLS’. It goes by several names, including Backdoor:Win32/Escad.A!dha.

US-CERT explains:

“The proxy sessions are disguised to appear as encrypted TLS/SSL sessions by using public SSL certificates obtained from well-known, legitimate Internet services. The legitimate certificates are contained within the malware. However, the traffic between the operator and the proxy server is encrypted using an unidentified cipher.”

 Another malware is an Executable Linkable Format (ELF) file that functions as a Remote Access Trojan on Android devices. It goes by different names, including Andr/Spy-ANK.

“This artifact is a malicious ELF ARM executable designed to connect to hard-coded Internet Protocol (IP) addresses. Static analysis indicates this ELF binary, designed to run on Android platforms, is a fully functioning Remote Access Tool.”

US-CERT also attributes Trojans BADCALL and BANKSHOT to the North Korean Government.

US-CERT would like to remind users and administrators of the following best practices to strengthen the security posture of their organization's systems:

  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users' ability (permissions) to install and run unwanted software applications.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Keep operating system patches up-to-date. Enable a personal firewall on agency workstations. Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.
SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.