The Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) identified Trojan malware variants used by the North Korean government.
According to a report published by the Cybersecurity and Infrastructure Security Agency (CISA), they have identified the following malware variants in Malware Analysis Reports (MARs):
- HOPLIGHT: This report provides analysis of twenty malicious executable files. Sixteen of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP addresses and SSL certificates.
- ARTFULPIE: This report looks at an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded url.
- HOTCROISSANT: This report looks at a full-featured beaconing implant. This sample performs a custom XOR network encoding and is capable of many features including conducting system surveys, file upload/download, process and command execution, and performing screen captures.
- CROWDEDFLOUNDER: This report analyzes a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory. This application is designed to accept arguments during execution or can be installed as a service with command line arguments. It is designed to listen as a proxy for incoming connections containing commands or can connect to a remote server to receive commands.
- SLICKSHOES: This sample is a Themida-packed dropper that decodes and drops a file "C:\Windows\Web\taskenc.exe" which is a Themida-packed beaconing implant. The beaconing implant does not execute the dropped file nor does it schedule any tasks to run the malware. The dropped beaconing implant uses an indigenous network encoding algorithm and is capable of many features including conducting system surveys, file upload/download, process and command execution, and screen captures.
- BISTROMATH: This report looks at multiple versions of a full-featured RAT implant executable and multiple versions of the CAgent11 GUI implant controller/builder. These samples performs simple XOR network encoding and are capable of many features including conducting system surveys, file upload/download, process and command execution, and monitoring the microphone, clipboard, and the screen. The GUI controllers allow interaction with the implant as well as the option to dynamically build new implants with customized options. The implants are loaded with a trojanized executable containing a fake bitmap which decodes into shellcode which loads the embedded implant.
- BUFFETLINE: This report looks at a full-featured beaconing implant. This sample uses PolarSSL for session authentication, but then utilizes a FakeTLS scheme for network encoding using a modified RC4 algorithm. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
Each MAR is designed to enable network defenders to identify and reduce exposure to North Korean government malicious cyber activity. Each MAR includes malware descriptions, suggested response actions, and recommended mitigation techniques. CISA urges Users or administrators to flag activity associated with the malware and report the activity to CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
The information contained in these most recent seven (7) MARs, as well as the previous work linked below, is the result of analytic efforts between the U.S. Department of Homeland Security (DHS), the U.S. Department of Defense (DOD), and the FBI to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA.