What is the Issue:
On Tuesday May 29, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a comprehensive report on malware associated with North Korean Government cyber activity. The report details a remote access tool (RAT) commonly known as Joanap and a Server Message Block (SMB) worm commonly known as Brambul. This report provides signatures associated with the malware along with recommendations on how to protect your networks. SkOUT has ensured the latest signatures for this malicious cyber activity are included in our Security Operations Center monitoring platform and will alert clients when this activity is detected.
Why is this noteworthy:
Since 2009, North Korean cyber activity have leveraged their capabilities to target and compromise a range of victims. Malicious North Korean cyber activity is referred to as “Hidden Cobra” by the U.S. Government. Malware associated with Hidden Cobra include remote access tools such as FALLCHILL and Trojans such as Volgmer and BANKSHOT. North Korea has been claimed responsible for infamous cyber-attacks such as WannaCry in 2017 and the Sony Pictures attack in 2014. For more information about Hidden Cobra please visit https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity.
What is the exposure or risk:
The DHS has identified four unique files associated with Joanap and Brambul activity. The first file is an installer for two pieces of additional malware: a Remote Access Trojan (RAT) (file #2) and a malicious Dynamic Link Library (DLL) that functions as a Server Message Block (SMB) Worm (file #3).
The remote access tool would allow an attacker the ability to exfiltrate data, drop and run secondary payloads and provide proxy capabilities on a compromised Window Device. The SMB worm would attempt to connect to all hosts and attempt to gain unauthorized access to the SMB on port 445 through a bruteforce password attack. If access is gained, the IP address, hostname, username and password of that host are emailed to “firstname.lastname@example.org” and “Misswang8107@gmail.com”. The malware will also check if the host is running Remote Desktop Protocol (RDP) and if it is able to connect, the malware will send that information to the email addresses previously mentioned.
The fourth file is another SMB worm in the form of a Windows 32-bit executable. This executable is designed to scan a local network for accessible machines that also have open SMB ports. Once the malware gains access to a remote machine, it will deliver a malicious payload. The payload will attempt to connect to hosts over port 445 and attempt to bruteforce SMB connections to gain access. If access is granted, the malware will attempt to establish a file share usually named “adnim$”. The malware will use Simple Mail Transfer Protocol (SMTP) to send collected data. The email accounts that the malware files have been known to communicate with are “email@example.com” and “Misswang8107@gmail.com”.
The file names are:
- 077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885 (4731CBAEE7ACA37B596E38690160A7…)
- a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717 (scardprv.dll)
- ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781 (Wmmvsvc.dll)
- fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16 (298775B04A166FF4B8FBD3609E7169…)
What are the recommendations:
The Department of Homeland Security along with SkOUT recommend the following to strengthen the security posture of your organization’s systems:
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate ACLs (Access Control Lists).
If you have any questions, please contact our Security Operations Center.