US-CERT has released a Technical Alert linking two malware families named Joanap and Brambul to North Korean Government.
Joanap is a remote access tool (RAT), and Brambul is a server message block worm (SMB).
The Technical Alert was jointly released by Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).
The HIDDEN COBRA is what the U.S. Government refers to malicious cyber activity by the North Korean government and have been using both Joanap and Brambul since at least 2009.
The malware was used to target multiple victims globally and in the US including media, aerospace, financial, and critical infrastructure sectors.
“FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity.”
Joanap is a two-stage malware which is used to establish a peer to peer communication and to manage botnets designed to enable other operations.
According to the Technical Alert, Joanap malware helps HIDDEN COBRA actors to
- Exfiltrate data
- Drop and run secondary payloads
- Start proxy communications on an infected Windows system
- File management
- Process management
- Creation and deletion of directories
- Node management
Brambul is a Windows 32-bit SMB worm which functions as a service link library file or “portable executable file often dropped and installed onto victim’s networks by dropper malware.
When the malware is executed, it tries to establish a connection with victim systems and IP addresses found on victim’s local subnets.
The malware uses the SMB protocol ports 139 and 445 to gain unauthorized access by brute force password attack using the list of embedded passwords. The Brambul malware also generates random IP addresses for further attacks.
According to the Technical Alert, The Brambul malware is capable of
- Stealing system information
- Accepting command-line arguments,
- Generating and executing a suicide script,
- Propagating across the network using SMB,
- Brute forcing SMB login credentials, and
- Generating Simple Mail Transport Protocol email messages containing target host system information.
According to the analysis of Joanap malware, the U.S government found 87 compromised network nodes across Argentina, Belgium, Brazil, Cambodia, China, Colombia, Egypt, India, Iran, Jordan, Pakistan, Saudi Arabia, Spain, Sri Lanka, Sweden, Taiwan, Tunisia.
Always follow these basic instructions as preventive measure to protect their computer systems:
- Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
- Maintain updated Antivirus software for all systems
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.