The United States Computer Emergency Readiness Team (US-CERT) is honing in on the North Korean Government’s cyber espionage activities known as HIDDEN COBRA, which have been operational since at least 2009.
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have been working together to understand the North Korean Government’s cyber activities.
Since 2009, Hidden Cobra actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace,” US-CERT states in an alert from June 2017.
“Tools and capabilities used by Hidden Cobra actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman.”
“Hidden Cobra actors commonly target systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.”
In a malware analysis report of the HARDRAIN Trojan from earlier this month, US CERT explicitly states that the FBI is highly confident that the Hidden Cobra actors are using malware and proxy servers to squat and exploit victims’ networks.
The latest techniques involve Windows executable files that function as proxy servers and implement ‘Fake TLS’. It goes by several names, including Backdoor:Win32/Escad.A!dha.
“The proxy sessions are disguised to appear as encrypted TLS/SSL sessions by using public SSL certificates obtained from well-known, legitimate Internet services. The legitimate certificates are contained within the malware. However, the traffic between the operator and the proxy server is encrypted using an unidentified cipher.”
Another malware is an Executable Linkable Format (ELF) file that functions as a Remote Access Trojan on Android devices. It goes by different names, including Andr/Spy-ANK.
“This artifact is a malicious ELF ARM executable designed to connect to hard-coded Internet Protocol (IP) addresses. Static analysis indicates this ELF binary, designed to run on Android platforms, is a fully functioning Remote Access Tool.”
US-CERT also attributes Trojans BADCALL and BANKSHOT to the North Korean Government.
US-CERT would like to remind users and administrators of the following best practices to strengthen the security posture of their organization's systems:
- Maintain up-to-date antivirus signatures and engines.
- Restrict users' ability (permissions) to install and run unwanted software applications.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Keep operating system patches up-to-date. Enable a personal firewall on agency workstations. Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats; implement appropriate ACLs.