The FBI and DHS have recently released a technical alert warning about two newly discovered malware that North Korean hacking group, Hidden Cobra are using to remotely penetrate systems and to steal sensitive data and credentials.
Being used by the notorious hacking group, the U.S. government code-named the malware as Joanap, which is a Remote Access Trojan (RAT) and Brambul, which is a Server Message Block (SMB) worm.
Often known as Lazarus Group and Guardians of Peace, Hidden Cobra is believed to be backed by the North Korean government. According to the U.S. government, known for launching attacks mostly against media organizations, aerospace, financial and critical infrastructure sectors across the world, the Hidden Cobra hackers have been using the two new pieces of malware since at least 2009.
This ill-famous hacking group was even associated with the nasty WannaCry ransomware attack that last year shut down hospitals and businesses and created havoc all across the globe. That’s not all! Hidden Cobra is also associated with the 2014 Sony Pictures hack, as well as the 2016 SWIFT Banking attack.
According to the US-CERT, Joanap is a two-stage malware that establishes peer-to-peer communications allowing the hackers to remotely execute commands to pwn Windows device.
Joanap can compromise any system as a file either dropped via malware when downloaded from compromised sites or when someone opens malicious email attachments. According to an analysis of the Joanap infrastructure, the malware is found on 87 pwned network nodes in 17 countries including nations such as Brazil, China, Spain, Taiwan, Sweden, India, and Iran.
Brambul is a brute-force authentication worm that pwns the Server Message Block (SMB) protocol and spread itself to other systems.
Spreads through SMB shares, the malicious Windows 32-bit SMB worm, Brambul is a dynamic link library file often dropped and installed onto victims' networks by dropper malware. Once Brambul is successful in gaining access to infected systems, the malware then communicates information about victim's systems to the Hidden Cobra hackers using email. The information includes the IP address and hostname as well as credentials of each victim's system.