US Cyber Command, DHS, and FBI have exposed a new North Korean campaign of malware and phishing (via ZDNet).
North Korea Malware
Six new families of malware are being used by North Korean hackers. US Cyber Command thinks the malware is used for remote access into infected system to steal funds. The six families are:
- BISTROMATH – described as “a full-featured RAT”
- SLICKSHOES – described as a malware dropper (loader)
- CROWDEDFLOUNDER – described as a “32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory.”
- HOTCROISSANT – described as a “a full-featured beaconing implant” used for “conducting system surveys, file upload/download, process and command execution, and performing screen captures.”
- ARTFULPIE – described as “an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL.”
- BUFFETLINE – described as “a full-featured beaconing implant” that can “download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”
The malware is thought to be linked to a hacking group called HIDDEN COBRA, which also goes by the name of Lazarus Group, North Korea’s biggest hacking group. U.S. officials are sending warnings to private companies.
Further Reading
[Security Friday, Backup Tips – TMO Daily Observations 2020-02-14]
The US has admitted to masquerading as Chinese hackers when it does business, so I wouldn’t be surprised if it masquerades as North Korean hackers either.
Likely somebody outside the US security services discovered these malware and reported them. Fire up the security publicity machine. Score a disinformation victory over North Korea. And let the rip and read news services copy to all affiliates. I understand these things are difficult to research independently, but there must be inside sources for these things.