Three years have passed since the WannaCry ransomware epidemic, which affected companies and organizations around the world, and the landscape of information security has forever changed. Let me remind you that researchers and authorities unanimously blamed the incident on North Korean hackers, and the US government even charged in absentia with a very specific suspect.
This week, to mark the anniversary, specialists from the FBI, the US Department of Defense and the Cybersecurity and Infrastructure Protection Agency, organized by the US Department of Homeland Security (DHS CISA), revealed three new malwareattributed to the North Korean hack band Lazarus, also known as Hidden Cobra. New malware was not only described in the report, but also uploaded samples to VirusTotal.
Let me remind you that the US authorities have been publishing information about the North Korean malvari since 2017, and to date, 28 different threats have already been revealed. The idea of this initiative is to make information about the malvari public and accessible. Then the public and private sectors will be able to easily detect and block attacks using the described malware, and this will complicate the life of North Korean hackers, forcing them to constantly work on new versions of their tools, exploits and malware.
This week, the following threats were made public:
COPPERHEDGE – Remote Access Trojan (RAT), capable of launching arbitrary commands, performing reconnaissance and stealing data. Six different options were discovered.
TAINTEDSCRIBE – a malicious implant (trojan), which is installed on hacked systems to receive and execute malicious commands. Uses FakeTLS for session authentication, and uses Linear Feedback Shift Register (LFSR) algorithm for encryption. The main executable is disguised as Microsoft's Narrator.
PEBBLEDASH – Another implant that has the ability to download, upload, delete and execute files; Enable Windows CLI Access create and complete processes, and so on.
Kaspersky Lab expert Kostin Raiu writes that all three types of malware are really associated with well-known North Korean hack groups. According to him, the code of the published samples is similar to the malicious code Manuscrypt, which was discovered by Kaspersky Lab in 2017 and was used to attack cryptocurrency exchanges.
– Costin Raiu (@craiu) May 12, 2020