Today, the United States Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DOD) released multiple malware analysis reports (also known as MAR reports) that have attributed malicious cyber activity to the North Korean government, also known as HIDDEN COBRA/LAZARUS.
HIDDEN COBRA has been linked to multiple high profile attacks which have caused massive infrastructure disruptions, as well as financially motivated attacks in various parts of the world. Notable attacks were the 2014 attack on a major entertainment company and the 2016 Bangladeshi heist that netted nearly $1 Billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, HIDDEN COBRA would have pulled off a heist unlike any other. Although HIDDEN COBRA failed at their attempt, they were still able to net around 81 million dollars. The most recent and most notable attack attributed to HIDDEN COBRA was the Wannacry Ransomware attack, which resulted in massive disruption and damage worldwide to numerous organizations, especially manufacturers. Various estimates of the impact were in the hundreds of millions of dollars, with some estimates claiming billions. Other verticals which this group have targeted include critical infrastructures, entertainment, finance, healthcare, and telecommunication sectors across multiple countries.
Contained within these sample sets are (39) unique samples. The names associated with these reports by CISA are: HOPLIGHT, BISTROMATH, SLICKSHOES, CROWDEDFLOUNDER, HOTCROISSANT, ARTFULPIE, AND BUFFETLINE.
Contained within this report are 27 malicious files. Most of these files are Windows-specific portable executable files (PE) and some data files. These include a combination of backdoor Trojans, droppers, info stealers, credential harvesters, remote access Trojans/tool (RAT), and artifact files. According to the report, sixteen of these files allow HIDDEN COBRA operators to mask traffic between the victim machine and the command and control servers. The proxies can then generate fake TLS handshake sessions using a signed public SSL certificate. The payload of the files used by the attackers appears to be password protected or encoded with a key. Another file appears to make outbound connections to predetermined IP addresses, and in parallel, drops four files to the compromised system. The dropped files contain IP addresses and SSL certificates to further advance the attackers’ footprint.
This report provides insight into multiple variants of a RAT (remote access Trojan/tool) with multiple versions of what is called CAgent11 GUI implant controller/builder. These samples perform simple XOR network encoding and encompass a range of features. These include various surveillance options that are common features of RATs that can perform system scans, file uploads/downloads, process and command execution, and being able to monitor the microphone, clipboard, and screen.
According to the report, the GUI controllers allow interaction with the implant as well as the option to dynamically build additional new customized implants. These implants are loaded with a trojanized executable containing a fake bitmap, which ultimately decodes into shellcode that loads the embedded implant.
The sample used in this campaign is a dropper file that decodes and drops another file into "C:\Windows\Web\taskenc.exe", which is a Themida-packed beacon file similar to the dropper itself.
The beaconing file does not execute the dropped file nor does it schedule any tasks to run malware.
The dropped beaconing implant uses a network encoding algorithm and is capable of many functions, including conducting system surveys, file upload/download, process and command execution, and screen captures, all similar to a functional RAT.
This file used in this campaign is a 32-bit Windows PE file that is Themida packed. Once run, it will unpack and execute a Remote Access Trojan (RAT) binary in memory. This application can accept arguments during execution or can be installed as a service with command line arguments. It can receive incoming connections by actively listening as a proxy while also receiving commands. It can also connect remotely to another server to receive commands.
This sample performs custom XOR network encoding and is capable of exfiltrating data from the victim machine to a predefined C2 server. It can take information about the victim machine, such as usernames, administrator information, IP address of the machine, Windows OS information, processor name, screen resolution, and physical RAM. Other features include conducting system surveys, file upload/download, process and command execution, and screen captures.
This sample is capable of downloading and performing in memory loading and execution of a DLL from a hardcoded URL.
This sample uses PolarSSL Libraries for session authentication, but then utilizes a FakeTLS scheme with a forged TLS packet header prepended to the packet along with custom XOR for network encoding to ultimately evade analysis. Furthermore It can download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
FortiGuard Labs deployed coverage to ensure protections were in place immediately after the announcement by the United States Cybersecurity and Infrastructure Security Agency (CISA). CISA, in coordination with the Cyber Threat Alliance (CTA), shared the samples ahead of the announcement with CTA partners to ensure that customers of CTA members were immediately protected in real time.
Customers running the latest definition sets are protected by the following (AV) signatures):
All network IOC’s have been blacklisted by the Web Filtering client.