DHS, FBI warn about malware tied to North Korean threat actor

US-CERT has released a new technical alert on malware used by Hidden Cobra, a threat actor whose activities they believe to be directed by the North Korean government.

North Korean malware

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have been documenting malware used by the group for a while now.

This time, they warn about Joanap, a remote access tool (RAT) that is used “to establish peer-to-peer communications and to manage botnets designed to enable other operations”, and Brambul, a brute-force authentication worm that spreads through SMB shares.

“According to reporting of trusted third parties, Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors,” the alert notes.

“Like many of the families of malware used by Hidden Cobra actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes.”

According to the organization, compromised network nodes identified as part of the Joanap infrastructure are scattered all across the world.

“FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity,” it said.

US-CERT advises administrators to make use of the provided indicators of compromise and a malware analysis report to check whether their networks have been compromised, as well as provided general advice on strategies that can mitigate the threat these and other malware can pose to them.

The alert did not name specific targets, but it did contain a link to a separate report by analytics company Novetta, which says the same group was behind the 2014 Sony Pictures Entertainment hack.