US-CERT Issues Notice About Two North Korean Malware Variations

June 01, 2018


Two malware strains – called Joanap and Brambul – are being utilized to set up peer to peer links and distantly access infected systems, handle botnets, and steal system information as well as login identifications. The malware strains are linking with IP addresses in 17 republics and have been linked to North Korea by U.S Department of Homeland Security (DHS) and the FBI.

The malware families are not new. They have been utilized by North Korea since 2009 and have earlier been utilized in targeted attacks on media stores and aerospace, financial, and important infrastructure establishments, including organizations in the United States.

The malware strains correspond with HIDDEN COBRA – the name given to North Korea’s Cyber-Ops. US-CERT has publicized information on the IP addresses being utilized for interaction and other indicators of Compromise (IoCs) to let businesses to check for malware infections.

Infection might lead to temporary or permanent loss of data, theft of confidential information and copyrighted data, interruption to usual operations, financial damages, and reputational damage.

Joanap malware is capable of process management, file management, node management, and the removal and creation of directories. The malware sets up peer-to-peer interactions and can handle botnets deployed on computers. As soon as installed, the malware empowers HIDDEN COBRA threat actors to exfiltrate data, prepare proxy interactions, and set up additional malicious payloads.

Brambul malware is a 32-bit Windows Server Message Block (SMB) worm that works like an active link library or moveable executable file. The malware is copied by dropper malware. As per US-CERT’s warning, “The malware tries to set up communication with victim systems and IP addresses on sufferers’ local subnets. If effective, the application tries to gain illegal access through the SMB procedure (ports 139 and 445) by starting brute-force password attacks utilizing a list of inserted passwords.” The malware is also capable of arbitrarily creating IP addresses for more attacks.

The malware steals system information and identifications through malicious electronic mail addresses, with the theft of identifications letting the attackers to distantly access undermined systems through the SMB procedure. Although the precise way of attack has not been confirmed, it has been indicated that insecure or unsecured systems are undermined and the malware disperses laterally via poorly safeguarded network shares.

DHS recommends following safety best practices to decrease vulnerability to these kinds of malware attacks: Making sure all software and operating systems are kept completely patched, set up AV software and carry out usual scans, scan all new software before implementation, restrict administrator rights, scan electronic mails and electronic mail attachments, deactivate Microsoft’s file and printer sharing facility, and use a private firewall on all workstations and organize it to reject unsolicited connection requests.