The US Pentagon, the FBI, and the Department of Homeland Security on Friday exposed a North Korean hacking operation and provided technical details for seven pieces of malware used in the campaign.
The US Cyber National Mission Force, an arm of the Pentagon’s US Cyber Command, said on Twitter that the malware is “currently used for phishing & remote access by [North Korean government] cyber actors to conduct illegal activity, steal funds & evade sanctions.” The tweet linked to a post on VirusTotal, the Alphabet-owned malware repository, that provided cryptographic hashes, file names, and other technical details that can help defenders identify compromises inside the networks they protect.
Malware attributed to #NorthKorea by @FBI_NCIJTF just released here: https://t.co/cBqSL7DJzI. This malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. #HappyValentines @CISAgov @DHS @US_CYBERCOM
— USCYBERCOM Malware Alert (@CNMF_VirusAlert) February 14, 2020
An accompanying advisory from the DHS’s Cybersecurity and Infrastructure Security Agency said the campaign was the work of Hidden Cobra, the government’s name for a hacking group sponsored by the North Korean Government. Many security researchers in the private sector use other names for the group, including Lazarus and Zinc. Six of the seven malware families were uploaded to VirusTotal on Friday. They included:
- Bistromath, a full-featured remote access trojan and implant that performs system surveys, file uploads and downloads, process and command executions, and monitoring of microphones, clipboards, and screens
- Slickshoes, a “dropper” that loads, but doesn’t actually execute, a “beaconing implant” that can do many of the same things Bistromath does
- Hotcroissant, a full-featured beaconing implant that also does many of the same things listed above
- Artfulpie, an “implant that performs downloading and in-memory loading and execution of DLL files from a hardcoded url”
- Buttetline, another full-featured implant, but this one uses fake a fake HTTPS scheme with a modified RC4 encryption cipher to remain stealthy
- Crowdedflounder, a Windows executable that’s designed to unpack and execute a Remote Access Trojan into computer memory
But wait… there’s more
Friday’s advisory from the Cybersecurity and Infrastructure Security Agency also provided additional details for the previously disclosed Hoplight, a family of 20 files that act as a proxy-based backdoor. None of the malware contained forged digital signatures, a technique that’s standard among more advanced hacking operations that makes it easier to bypass endpoint security protections.
Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, posted an image on Twitter that showed the relationship between the malware detailed on Friday with malicious samples the Moscow-based security firm has identified in other campaigns attributed to Lazarus.
Friday’s joint advisory is part of a relatively new approach by the federal government to publicly identify foreign-based hackers and the campaigns they carry out. Previously, government officials mostly steered clear of attributing specific hacking activities to specific governments. In 2014, that approach began to change when the FBI publicly concluded that the North Korean government was behind the highly destructive hack of Sony Pictures a year earlier. In 2018, the Department of Justice indicted a North Korean agent for allegedly carrying out the Sony hack and unleashing the WannaCry ransomware worm that shut down computers worldwide in 2017. Last year, the US Treasury sanctioned three North Korean hacking groups widely accused of attacks that targeted critical infrastructure and stole millions of dollars from banks in cryptocurrency exchanges.
As Cyberscoop pointed out, Friday marked the first time that the US Cyber Command identified a North Korean hacking operation. One reason for the change: although the North Korean government hackers often use less advanced malware and techniques than counterparts from other countries, the attacks are growing increasingly sophisticated. News agencies including Reuters have cited a United Nations report from last August that estimated North Korean hacking of banks and cryptocurrency exchanges has generated $2 billion for the country’s weapons of mass destruction programs. Source