Multiple U.S. government agencies have warned of a newly cybesecurity threat from North Korea.
According to the U.S. government, the warning “is the result of analytic efforts between the U.S. Department of Homeland Security, the U.S. Department of Defense, and the FBI to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government.”
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have identified malware variants used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.
The U.S. government issued six new Malware Analysis Reports (MARs) and one updated MAR related to malicious cyber activity from North Korea. Each MAR is designed to enable network defenders to identify and reduce exposure to North Korean government malicious cyber activity. CISA encourages users and administrators to review these MARs for each malware variant listed below.
- February 14, 2020: Malware Analysis Report (10265965-1.v1) – North Korean Trojan: BISTROMATH
- February 14, 2020: Malware Analysis Report (10265965-2.v1) – North Korean Trojan: SLICKSHOES
- February 14, 2020: Malware Analysis Report (10265965-3.v1) – North Korean Trojan: CROWDEDFLOUNDER
- February 14, 2020: Malware Analysis Report (10271944-1.v1) – North Korean Trojan: HOTCROISSANT
- February 14, 2020: Malware Analysis Report (10271944-2.v1) – North Korean Trojan: ARTFULPIE
- February 14, 2020: Malware Analysis Report (10271944-3.v1) – North Korean Trojan: BUFFETLINE
- February 14, 2020: Malware Analysis Report (10135536-8.v3) – North Korean Trojan: HOPLIGHT
(updates October 31, 2019: Malware Analysis Report (10135536-8) – North Korean Trojan: HOPLIGHT, which updated April 10, 2019: Malware Analysis Report (10135536-8) – North Korean Trojan: HOPLIGHT)
Each MAR includes malware descriptions, suggested response actions, and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
Bistromath, Slickshoes, Crowdedflounder, Hotcroissant, Artfulpie and Buffetline are variants of the VirusTotal. Hoplight is an update on a previous strain. If allowed to take root, the various strains of malware enable remote access to machines and networks, the download of further malicious software, as well as the exfiltration of credentials and files.
It is assumed that the same attackers thought responsible for the WannaCry ransomware attack in 2017 are likely behind these latest campaigns—referred to as Lazarus by the private sector and “Hidden Cobra” by the U.S. government.
CISA recommends the usual mitigation: patching as soon as practically possible; applying strong passwords to file sharing and broader IoT set-ups, including printers and other networked devices; use of updated antivirus software; email defense and user training on unknown senders and attachments; some levels of user monitoring to prevent dangerous activity; and restrictions on external drives and internet software downloads.