North Korean Malicious Cyber Activity: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

 In APT, Malware, News, Threat Intelligence

Backdoor.Joanap is a malicious program which is developed by cyber criminals to gain illegal income. It uses several stealthy ways to get inside the targeted computer and after successful invasion it carry out several malicious activities. According to a research this malware hides its executable in INI and CNF files to run unhindered and prevent its detection from antivirus software. So if you are that unfortunate user whose computer get infected with this threat then you will have to face several annoying issues which can turn into serious damage.

Malware often infects servers and systems without the knowledge of system users and owners. If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks to infect nodes beyond those identified in this alert.

Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

Joanap

Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include

  • file management,
  • process management,
  • creation and deletion of directories, and
  • node management.

When the Trojan is executed, it creates the following files:

  • %System%\scardprv.dll
  • %System%\wcssvc.dll
  • %System%\mssscardprv.ax

The Trojan then creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\Security\”Security” = “[HEXADECIMAL VALUE]”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\Parameters\”ServiceDll” = “%System%\scardprv.dll”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”Type” = “20”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”Start” = “2”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”ObjectName” = “LocalSystem”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”ImagePath” = “%System%\svchost.exe -k SCardPrv”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”ErrorControl” = “1”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”DisplayName” = “SmartCard Protector”

Analysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with HIDDEN COBRA actors. Once installed, the malware creates a log entry within the Windows System Directory in a file named mssscardprv.ax. HIDDEN COBRA actors use this file to capture and store victims’ information such as the host IP address, host name, and the current system time.

Brambul

Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.

Analysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured network shares. Once the malware establishes unauthorized access on the victim’s systems, it communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information includes the IP address and host name—as well as the username and password—of each victim’s system. HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol.

Analysis of a newer variant of Brambul malware identified the following built-in functions for remote operations:

  • harvesting system information,
  • accepting command-line arguments,
  • generating and executing a suicide script,
  • propagating across the network using SMB,
  • brute forcing SMB login credentials, and
  • generating Simple Mail Transport Protocol email messages containing target host system information.

How Backdoor.Joanap Sneak into Your PC?

Being a typical trojan, Backdoor.Joanap use different stealthy way to get inside your system and thats the reason why user are unaware from its invasion. Here are some possible way of infiltration:

  • Through infected links sent via social media
  • Via free software or software updates
  • Opening spam email attachment sent by unknown source
  • Visiting infected or malicious websites
  • Through peer to peer file sharing network etc.

What Type of Havoc Backdoor.Joanap create on compromised PC?

Backdoor.Joanap is a malicious Trojan virus which often attacks remote computers. This virus is designed by cyber copes with the intention of damaging the system brutally. It opens backdoors for remote attackers to provide access on user’s computer. It may put system at high risks and corrupt essential files and data in multiple ways. Criminals bounds users to open or download its infectious files. It’s quite difficult to detect Trojan virus though it continuously changes its location inside system. Mostly, Backdoor.Joanap attack on almost every version of Windows computer. In addition, it replicates itself to go deep inside the system. So that, it can conveniently perform vulnerable activities on the system. Unfortunately, this virus lurks into the system using some form of social engineering. For example – when users open any suspicious email attachment, visiting phishing sites, downloading freeware from unknown site, sharing file over infected network etc. It hampers computer to perform evil tasks without user’s knowledge. Further, it modifies registry entry and default setting of system.

Once getting control over system, Backdoor.Joanap exhibits unavoidable behavior. It recommends fake update of already installed programs or software in system. Even, it slows down system processing and interrupts normal functionality of PC including disable task manager, control panel, firewalls etc. It leaves bad impact on web browsers like Chrome/IE/Firefox to accomplish illegal tasks. For this, it alters default setting to redirect users to unknown sites. Moreover, it replaces original homepage and new tab with its fake one. What worse about this virus is that it will cause system crashes after some random freezes taking place. Backdoor.Joanap additionally install unwanted browser add-ons and plugins into browsers. Further it comes along with other severe threats to put system at worst situation. Other than its annoying behavior, it monitors online activities of users such as browsing history, session ids, bookmarks, search queries, cookies etc. Then onwards, gather all credential and personal information to perform cybercrime and earn money.

The Threat Actor Hidden Cobra is known by a lot of aliases:

Lazarus Group
Dark Seoul
Hidden Cobra
Hastati Group
Andariel
Unit 121
Bureau 121

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.

HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors. Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments.

The countries in which the infected IP addresses are registered are as follows:

  • Argentina
  • Belgium
  • Brazil
  • Cambodia
  • China
  • Colombia
  • Egypt
  • India
  • Iran
  • Jordan
  • Pakistan
  • Saudi Arabia
  • Spain
  • Sri Lanka
  • Sweden
  • Taiwan
  • Tunisia

Steps to Mitigate the threat

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device’s visibility is set to “Hidden” so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to “Unauthorized”, requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • Block all the hashes, domains, URL’s and IP’s mentioned in the IOC’s
  • Get in touch with Mjolnir Security as soon as possible.

Indicators of Compromise

InfectionType IndicatorType Indicator
Post-Infection IP Indicator(s) 181.1.253.234
Post-Infection IP Indicator(s) 200.82.62.24
Post-Infection IP Indicator(s) 81.243.151.226
Post-Infection IP Indicator(s) 81.247.219.196
Post-Infection IP Indicator(s) 138.204.211.197
Post-Infection IP Indicator(s) 177.221.11.176
Post-Infection IP Indicator(s) 177.221.11.233
Post-Infection IP Indicator(s) 177.41.74.199
Post-Infection IP Indicator(s) 179.107.219.90
Post-Infection IP Indicator(s) 187.127.112.60
Post-Infection IP Indicator(s) 187.127.115.206
Post-Infection IP Indicator(s) 189.15.173.106
Post-Infection IP Indicator(s) 103.227.174.79
Post-Infection IP Indicator(s) 146.88.205.56
Post-Infection IP Indicator(s) 113.57.34.213
Post-Infection IP Indicator(s) 117.179.224.33
Post-Infection IP Indicator(s) 181.234.231.152
Post-Infection IP Indicator(s) 190.60.109.166
Post-Infection IP Indicator(s) 196.204.141.76
Post-Infection IP Indicator(s) 196.221.41.109
Post-Infection IP Indicator(s) 1.186.218.107
Post-Infection IP Indicator(s) 103.71.212.72
Post-Infection IP Indicator(s) 106.51.226.188
Post-Infection IP Indicator(s) 114.79.191.185
Post-Infection IP Indicator(s) 117.213.169.79
Post-Infection IP Indicator(s) 117.213.170.132
Post-Infection IP Indicator(s) 117.213.170.252
Post-Infection IP Indicator(s) 117.214.92.199
Post-Infection IP Indicator(s) 117.254.85.138
Post-Infection IP Indicator(s) 123.201.161.60
Post-Infection IP Indicator(s) 157.49.171.35
Post-Infection IP Indicator(s) 202.142.71.166
Post-Infection IP Indicator(s) 49.206.100.19
Post-Infection IP Indicator(s) 49.206.105.206
Post-Infection IP Indicator(s) 59.92.69.202
Post-Infection IP Indicator(s) 59.92.69.23
Post-Infection IP Indicator(s) 59.92.69.254
Post-Infection IP Indicator(s) 59.92.69.51
Post-Infection IP Indicator(s) 59.92.70.122
Post-Infection IP Indicator(s) 59.92.70.162
Post-Infection IP Indicator(s) 59.92.70.164
Post-Infection IP Indicator(s) 59.95.151.28
Post-Infection IP Indicator(s) 59.97.22.192
Post-Infection IP Indicator(s) 61.3.239.224
Post-Infection IP Indicator(s) 2.182.31.181
Post-Infection IP Indicator(s) 2.182.31.195
Post-Infection IP Indicator(s) 2.182.31.84
Post-Infection IP Indicator(s) 2.187.201.47
Post-Infection IP Indicator(s) 82.212.93.217
Post-Infection IP Indicator(s) 110.36.226.146
Post-Infection IP Indicator(s) 203.130.24.202
Post-Infection IP Indicator(s) 176.45.234.206
Post-Infection IP Indicator(s) 176.45.248.239
Post-Infection IP Indicator(s) 176.47.60.110
Post-Infection IP Indicator(s) 188.49.198.65
Post-Infection IP Indicator(s) 188.54.209.88
Post-Infection IP Indicator(s) 188.54.251.115
Post-Infection IP Indicator(s) 5.156.110.212
Post-Infection IP Indicator(s) 5.156.137.47
Post-Infection IP Indicator(s) 51.235.186.186
Post-Infection IP Indicator(s) 90.148.206.252
Post-Infection IP Indicator(s) 95.184.0.49
Post-Infection IP Indicator(s) 95.218.39.84
Post-Infection IP Indicator(s) 2.137.162.251
Post-Infection IP Indicator(s) 124.43.35.86
Post-Infection IP Indicator(s) 124.43.39.105
Post-Infection IP Indicator(s) 124.43.41.213
Post-Infection IP Indicator(s) 124.43.41.48
Post-Infection IP Indicator(s) 124.43.42.30
Post-Infection IP Indicator(s) 90.236.254.71
Post-Infection IP Indicator(s) 1.160.139.122
Post-Infection IP Indicator(s) 1.169.112.88
Post-Infection IP Indicator(s) 1.170.194.142
Post-Infection IP Indicator(s) 111.253.145.11
Post-Infection IP Indicator(s) 111.255.198.92
Post-Infection IP Indicator(s) 114.26.231.136
Post-Infection IP Indicator(s) 114.36.15.80
Post-Infection IP Indicator(s) 114.36.3.66
Post-Infection IP Indicator(s) 114.39.179.133
Post-Infection IP Indicator(s) 114.46.75.51
Post-Infection IP Indicator(s) 122.121.9.203
Post-Infection IP Indicator(s) 36.229.45.69
Post-Infection IP Indicator(s) 36.231.179.65
Post-Infection IP Indicator(s) 36.231.36.64
Post-Infection IP Indicator(s) 36.235.81.169
Post-Infection IP Indicator(s) 36.238.65.99
Post-Infection IP Indicator(s) 41.224.255.67
Pre-Infection File Indicator(s) 4613f51087f01715bf9132c704aea2c2
Pre-Infection File Indicator(s) 298775b04a166ff4b8fbd3609e716945
Pre-Infection File Indicator(s) e86c2f4fc88918246bf697b6a404c3ea
Pre-Infection File Indicator(s) 4731cbaee7aca37b596e38690160a749
Pre-Infection File Indicator(s) a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717
Pre-Infection File Indicator(s) fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16
Pre-Infection File Indicator(s) ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781
Pre-Infection File Indicator(s) 077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885

REFERENCES

 

Header image from: https://media.scmagazine.com
Recent Posts

Start typing and press Enter to search