North Korea’s Hidden Cobra hackers cook up Sharpknot destructive malware
- 29 March, 2018 04:13
US-CERT has issued an alert over nasty trojan dubbed Sharpknot that wipes Master Boot Record (MBR) and files on infected machines.
The destructive malware is the latest tool alleged to hail from Pyongyang’s hacking group Hidden Cobra, the subject of a lengthy investigation by the US DHS National Cybersecurity and Communications Integration Center (NCCIC) and the FBI’s Cyber Watch (CyWatch) .
US-CERT warned that users and admins should give activity associated with Sharpknot the “highest priority for enhanced mitigation” as Windows machines will be “rendered inoperative” if each step is successfully executed.
The malware is designed to “destroy a compromised Windows system”, according to US-CERT, which it achieves by first overwriting the Master Boot Record (MBR) and then deleting files on the local system, mapped network shares, and any physically connected storage devices.
Interestingly, before overwriting the MBR, one of the first things Sharpknot attempts after executing is disabling a security service called “Alerter” that was present in Windows XP but was dropped after Windows Server 2003. The malware needs to be executed from the command line and also attempts to disable the “System Event Notification” service.
Once these services are disabled, the malware attempts to overwrite the MBR, and displays an “OK” status in the command (CMD) window if it was successful or "Fail" status it couldn’t.
“After the MBR is overwritten, the malware attempts to gain access to physical and network drives attached to the victim's system and recursively enumerate through the drive’s contents,” US-CERT writes.
"When the malware identifies a file, it overwrites the file's contents with NULL bytes, renames the file with a randomly generated file name, then deletes the file, making forensic recovery impossible.
Sharpknot is the eighth tool allegedly created by the Hidden Cobra operation that US-CERT has written about since its initial June 2017 writeup on the group’s DDoS botnet infrastructure.
Others include the Delta Charlie, a tool for controlling the DDoS infrastructure; the Volgmer backdoor; FALLCHILL, a remote access tool used to target the aerospace, telco, and finance sectors; BADCALL, which turns infected machines into a proxy server; and HARDRAIN, a set of tools that uses a proxy server mimic encrypted TLS sessions.