US alert: North Korea has updated old RATs and worms

The US Department of Homeland Security’s (DHS) US-CERT is warning organizations to check systems for malware that has links to the North Korean hacking group accused of wiping out Sony Pictures Entertainment computers in 2014.  

US-CERT said it and the FBI had identified a new set of IP and email addresses linked with two malware families it believes were made by Pyongyang-backed hackers. This includes a remote access tool (RAT) for spying on victims, called Joanap, and a worm called Brambul that uses the Server Message Block (SMB) protocol to spread through networks. 

The new warning comes on the heels of a worldwide alert about the alleged Russian-made destructive router malware, which Ukraine officials feared could be used to disrupt the nation during the Champions Cup event on Saturday. 

The US Government’s umbrella term for North Korean hacking is Hidden Cobra, and its public dossier on the nation’s hacking activities now includes 10 articles covering activity since early 2017, much of it linked to the Lazarus hacking group that was accused of destroying computers at Sony in 2014 and is thought to have orchestrated the WannaCry attack. 

In March, US-CERT also warned admins about a destructive malware in the Hidden Cobra files it called Sharpknot that wiped the Master Boot Record on Windows machines.   

The US agency warned that a new variant of Brambul worm contains a number of new remote access capabilities. The malware is known to include a list of administrator passwords used to brute force poorly configured systems. 

Symantec’s 2015 report on Brambul noted the malware used SMB to scan for Windows PCs with usernames like “administrator” and passwords such as “password”, “1”, and “123456”. It noted that the wormwood then send an email to the address “whiat1001@gmail.com"

According to US-CERT, if Brambul malware gains access to a system it sends the username and password to the North Korean hackers using two new Gmail addresses, including misswang8107[@]gmail.com and redhat[@]gmail.com. 

“Analysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured network shares. Once the malware establishes unauthorized access on the victim’s systems, it communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information includes the IP address and host name—as well as the username and password—of each victim’s system. HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol,” US-CERT notes. 

The Joanap malware meanwhile has now infected 87 network nodes in 17 countries, including Argentina, Belgium, Brazil, Cambodia, China, Cambodia, Egypt, India, Iran, Jordan, Pakistan, Saudi Arabia, Spain, Sri Lanka, Sweden, Taiwan, and Tunisia.   

The malware allows the presumed North Korean hackers to steal data, install malware, and communicate through compromised Windows devices.

The agency warns that organizations infected with the malware could permanently lose sensitive information and have operations disrupted.