US Cyber Command, DHS, and FBI have exposed a new North Korean campaign of malware and phishing (via ZDNet).
North Korea Malware
Six new families of malware are being used by North Korean hackers. US Cyber Command thinks the malware is used for remote access into infected system to steal funds. The six families are:
- BISTROMATH – described as “a full-featured RAT”
- SLICKSHOES – described as a malware dropper (loader)
- CROWDEDFLOUNDER – described as a “32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory.”
- HOTCROISSANT – described as a “a full-featured beaconing implant” used for “conducting system surveys, file upload/download, process and command execution, and performing screen captures.”
- ARTFULPIE – described as “an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL.”
- BUFFETLINE – described as “a full-featured beaconing implant” that can “download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”
The malware is thought to be linked to a hacking group called HIDDEN COBRA, which also goes by the name of Lazarus Group, North Korea’s biggest hacking group. U.S. officials are sending warnings to private companies.