On May 29th, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published two joint technical alerts (JTAs) disclosing and describing threat indicators associated with the Joanap remote access tool (RAT) and the Brambul Server Message Block (SMB) worm. The alert attributes use of these malwares to the North Korean government (PRK) and Hidden Cobra activity. Hidden Cobra is a North Korean state sponsored cyber unit that has been targeting several industries using various sophisticated attacks. This investigation revealed 87 compromised network nodes across 17 countries, and the FBI reports a high level of confidence that compromised devices operating from the IP addresses mentioned in the report are used in ongoing HIDDEN COBRA campaigns.
According to the report, HIDDEN COBRA actors have likely used Joanap and Brambul malware since at least 2009, to target multiple victims including several from the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Additionally, DHS and the FBI recommend reviewing information related to Joanap and Brambul from the Operation Blockbuster Destructive Malware Report.
Joanap Remote Access Trojan
The Joanap Trojan Backdoor is a remote access tool (RAT) which targets computers running Microsoft Windows operating systems. It has features for peer-to-peer communication, data exfiltration, proxying network traffic, and downloading and executing additional malware which could extend the attackers capabilities. The Joanap RAT is typically downloaded without the system owner’s knowledge as a secondary infection. HIDDEN COBRA and other threat actors often compromise legitimate domains in order to infect systems visiting the site as well as distribute the malware through email.
Notable functions for Joanap include:
- its ability to perform process and file management and to coordinate with other nodes
- encrypting communication using Rivest Cipher 4.
- creating a file at infection stage named mssscardprv.axlog inside the Windows “System” directory which it uses to store information including victim host IP address and hostname
Brambul SMB Malware
Brambul is a Server Message Block (SMB) malware which propagates through brute-force username and password guessing attacks against unsecure SMB shares using a list of predetermined credentials. Dropper malware is typically used to deliver it to the victim’s network in the form of a Portable Executable (PE) file or Dynamic Link Library (DLL.) Upon activation, it attempts contact with victims’ systems on the local subnet and launches the brute-force attack against SMB ports TCP 139 and TCP 445. Brambul is known to have remote control capabilities for command-line input, network propagation, harvesting system information and sending it via email. It may also attempt to determine whether the Remote Desktop Protocol (RDP) is enabled on port TCP 3389 and report this to the attacker via email.
Recommendations and Mitigation
DHS and the FBI state that a successful HIDDEN COBRA intrusion could have severe impacts including data breaches, network service disruption, and damage to an organization’s reputation. Security teams and network administrators should use the indicators provided by DHS and the FBI to identify related activity within their own network or their perimeter. When reviewing network activity, organizations may find potentially malicious connections as well as legitimate or benign interactions.
Recommended mitigations include
- Stronger access security – Using strong user passwords and limiting user permission to least privileged access
- Timely patching – Maintaining up-to-date antivirus signatures, system and software patches from trusted sources
- Email filtering – filtering suspicious or malicious email and attachments
- DNS Response Policy Zone (RPZ) capability: Using RPZ capability on the DNS server to monitor and block any DNS queries to domains known to be part of the attackers’ infrastructure, and readily identify infected systems
- Up-to- date threat intelligence – Using aggregated, curated and timely threat intelligence across the entire security infrastructure to maximize protection
Infoblox ActiveTrust protects against cyberattacks using threat intelligence feeds that are proactively curated and contain indicators on evolving threats including ones attributed to Hidden Cobra attacks.
ActiveTrust or ActiveTrust Cloud free evaluations provide an easy way to try the full featured DNS security solution, either deployed on-premises or delivered as a cloud service.