The US-CERT has released a new technical alert warning of two pieces of malware it says are being used by the North Korean government.
The joint alert comes from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) and refers to the prolific APT group known as Hidden Cobra.
The two pieces of malware it’s using are: remote access trojan (RAT) Joanap and SMB worm Brambul.
“According to reporting of trusted third parties, Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States — including the media, aerospace, financial, and critical infrastructure sectors,” US-CERT claimed.
The US government has found Joanap on 87 compromised network nodes in 17 countries including China, Spain, Sweden, India, Brazil and Iran.
“Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by Hidden Cobra actors remotely from a command and control server,” the alert continued. “Joanap typically infects a system as a file dropped by other Hidden Cobra malware, which users unknowingly downloaded either when they visit sites compromised by Hidden Cobra actors, or when they open malicious email attachments.”
Joanap operates covertly, moving laterally inside an infected network to any connected nodes, said US-CERT.
“Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network,” it added. “Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.”
The US-CERT urged organizations to mitigate the risk posed by these attacks by: keeping systems up-to-date with patches and the latest AV, applying least privilege policy to permissions, scanning and blocking suspicious email attachments, disabling Microsoft’s File and Printer Sharing service and configuring personal workstation firewalls to deny unsolicited connection requests.