Pierluigi Paganini February 01, 2019

FBI and Air Force experts are sinkholing the Joanap botnet to collect information about it and dismantle the malicious infrastrcuture.

The U.S. Justice Department declares war to the Joanap Botnet that is associated with North Korea. 

The U.S. DoJ announced this week that it is working to dismantle the infamous Joanap botnet, a malicious infrastructure that is believed to be associated to Pyongyang.

The FBI and the U.S. Air Force Office of Special Investigations (AFOSI) obtained court orders and search warrants that allow them to conduct sinkholing of the Joanap botnet.

The Joanap bot is a remote access trojan (RAT) that allows the attackers to exfiltrate data from compromised systems, it supports many commands and is also able to drop additional payloads.

The authorities set up servers that mimic the botnet’s communication system in order to collect information on infected systems and share them with ISP and the owners of the compromised computers.

The U.S. authorities will also inform foreign victims through the FBI’s Legal Attaches that works with the law enforcement and security agencies in their countries.

The Joanap botnet has been around since 2009, experts pointed out that the threat is still spreading through unpatched systems and unprotected networks. The bot is delivered by using the Brambul SMB worm that is able to spreads through a network by brute-forcing SMB shares leveraging on a list of hard-coded credentials.

Experts linked both the Joanap and Brambul malware to the North Korea-linked Hidden Cobra APT group.

The Joanap bot infected systems in many industries, including media, aerospace, financial, and critical infrastructure sectors across the world.

“Computers around the world remain infected by a botnet associated with the North Korean Regime,” said Assistant Attorney General John Demers. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”

“Through technical means and legal process, the FBI continually seeks to disrupt the malicious cyber activities of North Korean cybercriminals, as in this case, and all cyber actors who pose a threat to the United States and our international partners.” explained ADIC Paul Delacourt,

In June 2018, the FBI filed a complaint against the North Korean citizen Park Jin Hyok, an expert that works for North Korean military intelligence agency Reconnaissance General Bureau (RGB).

The man, also known as Pak Jin Hek, is also linked to the dreaded Lazarus APT Group, according to the authorities it was involved in numerous computer intrusions in which he had used also the Brambul malware to gain unauthorized access to computers.

“Moreover, a complaint was filed on June 8, 2018, charging Park Jin Hyok with a conspiracy to carry out numerous computer intrusions backed by the North Korean government.  That complaint alleged how co-conspirators used Brambul to gain unauthorized access to computers, and then used those computers to carry out the charged malicious cyber activities.  The Brambul worm itself was recovered from the computer networks of some victims of the conspiracy. “

The good news for users is that the Joanap is not effective against updated Microsoft Windows systems running Windows Defender and using Windows Update. Most of the antivirus programs are also able to detect both Joanap and Brambul.

Pierluigi Paganini

(SecurityAffairs – Joanap botnet, North Korea)

[adrotate banner=”5″] [adrotate banner=”13″]