CISA / FBI / DoD : HIDDEN COBRA 北朝鮮の悪意あるサイバー活動

こんにちは、丸山満彦です。

米国のサイバーセキュリティ・インフラストラクチャー安全保障局（CISA）、連邦捜査局（FBI）、国防省（DoD）が2020.05.12に、北朝鮮政府が使用するマルウェアの亜種に関する3つの分析レポート（MAR）をリリースしていますね。

● Cybersecurity and Infrastructure Security Agency (CISA)

・2020.05.12 North Korean Malicious Cyber Activity

-----
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have identified three malware variants—COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH—used by the North Korean government. In addition, U.S. Cyber Command has released the three malware samples to the malware aggregation tool and repository, VirusTotal. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

CISA encourages users and administrators to review the Malware Analysis Reports for each malware variant listed above, U.S. Cyber Command’s VirusTotal page, and CISA’s North Korean Malicious Cyber Activity page for more information.
-----

● North Korean Malicious Cyber Activity

• 2020.05.12 Malware Analysis Report (1028834-1.v1) – North Korean Remote Access Tool: COPPERHEDGE
• 2020.05.12 Malware Analysis Report (1028834-2.v1) – North Korean Trojan: TAINTEDSCRIBE
• 2020.05.12 Malware Analysis Report (1028834-3.v1) – North Korean Trojan: PEBBLEDASH

-----

■報道等

● Cyberscoop
・2020.05.12 FBI, DHS to go public with suspected North Korean hacking tools by Shannon Vavra

● Health IT Security
・2020.05.12 Feds Alert to New North Korean Malware Threats, Mitigation Tactics by Jessica Davis
DHS CISA, the FBI, and DOD are urging organizations to review insights into three recent malware variants tied to North Korea and recommended mitigation techniques to bolster defenses.

● ZDnet
・2020.05.12 On the three-year anniversary of WannaCry, US exposes new North Korean malware by Catalin Cimpanu

US cyber-security officials expose today three new North Korean malware strains named COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH.

 

 

Malware Analysis Report (AR20-133A)

MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as COPPERHEDGE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

The Manuscrypt family of malware is used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a full-featured Remote Access Tool (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Six distinct variants have been identified based on network and code features. The variants are categorized based on common code and a common class structure. A symbol remains in some of the implants identifying a class name of "WinHTTP_Protocol" and later "WebPacket".

For a downloadable copy of IOCs, see MAR-10288834-1.v1.stix

-----

 

Malware Analysis Report (AR20-133B)

MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as TAINTEDSCRIBE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at a full-featured beaconing implant and its command modules. These samples uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator. It downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.

For a downloadable copy of IOCs, see MAR-10288834-2.v1.stix.

-----

 

Malware Analysis Report (AR20-133C)

MAR-10288834-3.v1 – North Korean Trojan: PEBBLEDASH

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as PEBBLEDASH. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at a full-featured beaconing implant. This sample uses FakeTLS for session authentication and for network encoding utilizing RC4. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.

For a downloadable copy of IOCs, see MAR-10288834-3.v1.stix.

-----