Joint Technical Alert published by DHS and FBI warns of North Korea’s Hidden Cobra APT

The United States Computer Emergency Readiness Team (US-CERT) issued a technical alert about the activity of the North Korea’s ‘Hidden Cobra’ APT group.

The joint Technical Alert (TA) report is the result of the efforts between of the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

The US Government has tracked the hacker group as Hidden Cobra, but the APT is most popular as the Lazarus APT Group.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.  Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

The joint alert from the FBI and the DHS further details on the group, including indicators of compromise (IoC) for its DeltaCharlie botnet involved in the “Operation Blockbuster” to power DDoS attacks.

The US-CERT report includes details about the malware, the IP addresses used by the attackers, file hashes, network signatures, and YARA rules associated with Hidden Cobra.

Administratos can used the information in the report to detect the presence of the threat in their system and eradicate it.

“DeltaCharlie is a DDoS tool used by HIDDEN COBRA actors, and is referenced and detailed in Novetta’s Operation Blockbuster Destructive Malware report. The information related to DeltaCharlie from the Operation Blockbuster Destructive Malware report should be viewed in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert.” states the report.

“DeltaCharlie is a DDoS tool capable of launching Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol attacks,” US-CERT said. “The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks.”

The DHS agency warned of the presence of the DDoS malware on victims’ networks for a significant period of time.

“Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover,[3](link is external) Wild Positron/Duuzer,[4](link is external) and Hangman.[5](link is external) DHS has previously released Alert TA14-353A,[6] which contains additional details on the use of a server message block (SMB) worm tool employed by these actors.” continues the report.”Further research is needed to understand the full breadth of this group’s cyber capabilities. In particular, DHS recommends that more research should be conducted on the North Korean cyber activity that has been reported by cybersecurity and threat research firms.”

Enjoy the report.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Hidden Cobra, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]