A joint advisory released by USA agencies reveals three new North Korean malware called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH.
The reports are published online at the US CERT site and include not only a description but also a malware analysis of collected samples. According to the authorities these viruses have been used by the government of North Korea.
North Korean Malware Hit Once Again: The Discovery Of Three New Viruses
Information about three new North Korean malware has been published by USA authorities in a joint report on the American CERT site. The data published in the analysis is revealed by key agencies including the Department of Homeland Security, the Department of Defense and the FBI. They have discovered and monitored the attack campaigns in order to compile records about the malware behavior and then produce the shown analyses.
The specifics about malware that are supposed to originate from North Korea is that they are launched in large-scale coordinated attacks. Most of them include advanced modules which cause a lot of damage to the contaminated networks. North Korean viruses are usually set against foreign government agencies and large businesses, the majority of them are not intended to infect simple computer end users. Due to the fact that the North Korean malware are three and released in a targeted campaign that security researchers have named it as HIDDEN COBRA.
1. COPPERHEDGE: A Malware Remote Access Tool
The US authorities reveal that the first virus in the HIDDEN COBRA campaign called COPPERHEDGE is distributed in several variants and used together with proxy servers. The main goal is to maintain a malware presence in victim networks and conduct additional network exploits. At this moment the domains through which it operates includes a total is 42. The first variant is a 32-bit DLL file which uses the RC4 cipher to obfuscate strings which are delivered to the system. This includes the HTTP strings used to communicate with the remote hacker-controlled servers. Together with this a character manipulation of the strings the network administrators may find it more difficult to distinguish an active infection.
The included backdoor function is found in other variants as well — the differences are in the files which are used as the payloads. The analysis of the threats that are associated with the COPPERHEDGE RAT has allowed the US authorities to list the malicious capabilities:
- Retrieve System Information — This action will gather system information about the harvested computers.
- Drives Information Gathering — This will list the connected hard drives and send that information to the hackers.
- Set Configuration Options — This malware action will direct the computers to modify configuration files and options.
- Retrieve Configuration Options — This will download the given configuration files.
- Keep Alive — This will command the COPPERHEDGE backdoor to keep alive the connection by sending out constant network signals.
- Put File — This will upload a file to the contaminated computers.
- Create Process — This will crate a process unto which the malware process will be loaded.
- Run Command Line — This will run a certain command on the command line.
- ZIP Get File — This will retrieve files in a ZIP archive form.
- Process List — This will list the active processes on the given computer.
- Process Kill — This will kill a running process.
- Hibernate — This will cause the system to hibernate.
- Disconnect — This will break off the connection.
- Test Connect — This will test the network connection.
A distinct feature of one of the other variants of COPPERHEDGE malware is that it poses as a Google Analytics cookie — this is done by copying the standard format used by Google and modifying it accordingly. Another version will also retrieve other system data including the hard disk free space and timestamps of data.
TAINTEDSCRIBE Trojan: An Advanced Malware Weapon
This is the main malware which is part of the HIDDEN COBRA campaign. The USA reports reads that it includes the advanced persistent installation module. This will place the virus file in the Startup folder using the Narrator.exe name. A single instance may have a total of 5 IP addresses and attempt a connection to it. If a connection fails then the main engine will wait for 60 seconds before attempting to connect to the next address in line.
When a connection is made a process of authentication will follow and when completed the Trojan will download another module which is responsible for commands execution. The TAINTEDSCRIBE malware will initiate the Trojan connection using a FAKE TLS certificate — this will simulate a trusted connection which will not raise any awareness by the network administrators.
The module will perform a handshake with the hacker-controlled servers and then send out system information which has been gathered by the malware. This includes service names, current operating system configuration options and etc. It also features an extensive files and process manipulation ability which is similar to the COPPERHEDGE RAT. This includes the capability of uploading files to the hosts, stealing user data and also modifying existing files. Commands execution, as well as the starting and stopping of processes is also embedded.
PEBBLEDASH Trojan: A Secondary North Korean Trojan
This Trojan is not so much different than TAINTEDSCRIBE in its functionality. It includes pretty much the same capabilities. The malware analysis shows that it imports itself in DLL files used by applications and APIs. Using obfuscated strings the Trojan will be able to hide its network activity. A Python programmed module is used for the decryption of the main code. Once again a fake TLS certificate is implemented which will bypass security network scans. As a result the connections will appear as being to well-known services and companies.
North Korean Malware On The Rise: Yet Another Dangerous Campaign
The HIDDEN COBRA attack shows that North Korean hacking groups continue to be launch well-organized campaigns. What’s more disturbing about these attacks is that they use custom malware that are specifically used for the campaigns. On the other hand the targets are carefully researched in order to increase the chances of infection.
It is possible that forthcoming infections will be launched. Each time the North Koreans may utilize new strategies and tactics in order to intrude onto the networks. There are many reasons why these infections are done, Trojans like these one are created primarily for the following reasons:
- Sabotage – As the Trojans allow the hackers to take over control of the infected devices the hackers can delete sensitive data and deliberately launch remote commands to malfunction them.
- Data Theft & Spying – The hackers can also steal sensitive user and system information. The Trojans are configured with the ability to poll the systems for the connected hard drives, this can also be extended to available network shares which allow for data on the internal network to become accessible as well. Spying on the victim users will include not only harvesting o their data, but also monitoring the clipboard and mouse and key movement and interactions.
- Extortion – The made infections can be used to blackmail the victims, this is especially dangerous when big corporations are involved.
All of these actions do show that security administrators should take the necessary precautions ad protect their networks to the best of their ability. Further information can be found on the official advisory page.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: