The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released reports on North Korea-linked HIDDEN COBRA malware.

The FBI, the US Cyber Command, and the Department of Homeland Security have published technical details of a new North-Korea linked hacking operation.

The government experts released new and updated Malware Analysis Reports (MARs) related to new malware families involved in new attacks carried out by North Korea-linked HIDDEN COBRA group.

The following MARs reports aim at helping organizations to detect HIDDEN COBRA activity:

Let’s give a close look at each malware detailed in the MARs reports just released:

BISTROMATH – a full-featured RAT implant;

– a full-featured RAT implant; SLICKSHOES – a Themida-packed dropper:

– a Themida-packed dropper: CROWDEDFLOUNDER – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory;

– a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory; HOTCROISSANT – a full-featured beaconing implant used for conducting system surveys, file upload/download, process and command execution, and performing screen captures;

– a full-featured beaconing implant used for conducting system surveys, file upload/download, process and command execution, and performing screen captures; ARTFULPIE – an implant that performs downloading and in- memory loading and execution of a DLL from a hardcoded URL;

– an implant that performs downloading and in- and execution of a DLL from a URL; BUFFETLINE – a full-featured beaconing implant.

US agencies also updated information included in a MARs report on the HOPLIGHT proxy-based backdoor trojan that was first analyzed in April 2019.

Each report includes a detailed “malware descriptions, suggested response actions, and recommended mitigation techniques.”

The US Cyber Command also announced to have uploaded malware samples to VirusTotal:

Malware attributed to #NorthKorea by @FBI_NCIJTF just released here: https://t.co/cBqSL7DJzI. This malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. #HappyValentines @CISAgov @DHS @US_CYBERCOM — USCYBERCOM Malware Alert (@CNMF_VirusAlert) February 14, 2020

CISA reports provide the following recommendations to users and administrators to strengthen the security posture of their organization’s systems:

• Maintain up-to-date antivirus signatures and engines.

• Keep operating system patches up-to-date.

• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.

• Enforce a strong password policy and implement regular password changes.

• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.

• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.

• Disable unnecessary services on agency workstations and servers.

• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).

• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.

• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).

• Scan all software downloaded from the Internet prior to executing.

• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).



Pierluigi Paganini

(SecurityAffairs – HIDDEN COBRA, malware)