The US authorities have begun notifying victims of a notorious botnet run by North Korean state-sponsored hackers, as their efforts to disrupt the hermit nation's malicious activity increase.
A court order allowed the FBI and officers from the US Air Force Office of Special Investigations (AFOSI) to operate servers mimicking other peers in the Joanap botnet.
This enabled them to map the extent of the botnet and where infected machines are. The next stage is to notify the owners of those machines, most of whom will have no idea they’re unwittingly aiding a foreign power’s hacking campaigns.
The FBI is coordinating this process via ISPs and in some cases direct communications with the individuals, as well as communicating with foreign governments in cases where victims live abroad.
The Joanap botnet has been in operation since 2009, enabled by the first-stage Brambul worm which targets poorly secured Windows machines.
The latter spreads via a list of hard-coded log-in credentials, which it uses to brute-force its way into SMB shares. Once Joanap is dropped it goes on to scan for other potential victims.
The Joanap malware is a fully functional RAT able to receive multiple commands and linked by the US authorities to North Korean "Hidden Cobra" actors.
It enables them to exfiltrate data, drop additional payloads, initialize proxy communications on a compromised Windows device, manage files, processes and nodes and create and delete directories.
According to a US-CERT alert in May 2018, Joanap had been found on 87 compromised network nodes in countries including China, Spain, Sweden, India, Brazil and Iran.
“Our efforts have disrupted state-sponsored cyber-criminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” said US Attorney Nicola Hanna.
“While the Joanap botnet was identified years ago and can be defeated with anti-virus software, we identified numerous unprotected computers that hosted the malware underlying the botnet. The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cyber-criminals from using botnets to stage damaging computer intrusions.”