US-CERT Uncovers North Korean Typeframe Malware

The US-CERT has issued a new alert warning organizations of a fresh North Korean malware threat, a trojan linked to the Hidden Cobra APT group.

The latest Malware Analysis report was compiled by researchers at the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), working with other partners in the government.

The 11 malware samples listed in the report feature executables which “have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections.”

The majority are RC4 encrypted RATs designed to download and delete files, and proxy modules which open the Windows Firewall on victim machines to allow incoming connections.

The report claims that the so-called “Typeframe” malware is related to Hidden Cobra, an APT group linked last year by the CERT to the North Korean government.

The news comes hot on the heels of diplomatic efforts to improve ties with Pyongyang which resulted in the meeting of President Trump and Kim Jong-un last week.

However, North Korean hackers have long been blamed as a persistent state-sponsored hacking threat to the world. Government operatives are thought to have launched the WannaCry ransomware worm that did so much damage in May 2017.

Plus, the infamous North Korea-linked Lazarus Group was pegged among other attacks for the $81m raid on Bangladesh Bank and the devastating info-stealing and destructive malware attack on Sony Pictures Entertainment.

Advice from the US-CERT on mitigating the Typeframe threat includes keeping patches and AV up-to-date, disabling file and printer sharing services, restricting user permissions, enforcing strong passwords and firewalls on each workstation, scanning emails for suspicious attachments and monitoring web browsing.  

What’s Hot on Infosecurity Magazine?