DHS, FBI published a join alert including technical details of Hidden Cobra-linked ‘Typeframe’ Malware

Pierluigi Paganini June 18, 2018

The US DHS and the FBI have published a new joint report that includes technical details of a piece of malware allegedly used by the Hidden Cobra APT.

A new joint report published by US DHS and FBI made the headlines, past document details TTPs associated with North Korea-linked threat groups, tracked by the US government as Hidden Cobra.

The US authorities have published the report to reduce the exposure to the activities of North Korea-linked APT groups.

Hidden Cobra’s arsenal includes Sharpknot, Hardrain, Badcall, BankshotFallchil, Volgmer, and Delta Charlie.

The latest joint report includes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples analyzed by the government experts.

The researchers analyzed several executables and weaponize Word documents containing VBA macros.

“DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant is known as TYPEFRAME. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.” reads the joint report.

“This malware report contains analysis of 11 malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections.”

Hidden Cobra

The security alert includes indicators of compromise (IoCs) for each of the sample analyzed by the experts.

The report includes a description of the functionality for each sample, hashes, IPs, antivirus detections, metadata, and YARA rules.

In May, US authorities published another report on the Hidden Cobra detailing the Joanap backdoor trojan and the Brambul worm.

The unique certainly is that North Korea continues to be one of the most aggressive and persistent threat actors in the cyberspace.



you might also like

leave a comment