Video: Job-offer malware linked to North Korea chases bitcoin boom.
The US Computer Emergency Readiness Team (US-CERT) is warning users and admins about newly uncovered malware developed by North Korean hacking group Hidden Cobra, also known as the Lazarus Group.
US-CERT’s report on Typeframe identifies 11 pieces of malware, which consist of Windows executable files and a Word document with malicious Visual Basic macros.
“These files have the capability to download and install malware, install proxy and Remote-Access Trojans (RATs), connect to command-and-control servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections,” US-CERT notes in its latest malware report on the North Korean government’s Hidden Cobra campaign.
In May US-CERT issued an alert about Hidden Cobra’s Joanap and Brambul malware, which have been used since 2009 to collect information from companies in the media, aerospace, financial, and critical-infrastructure sectors.
Hidden Cobra is also known as the hacking group Lazarus, which researchers believe was responsible for the WannaCry ransomware outbreak, an $80m Bangladesh cyber bank heist via SWIFT, and 2014’s Sony Pictures hack.
Researchers at McAfee earlier this year spotted a malicious Word document used in phishing campaigns aimed at financial sector organizations in Asia. As with the Typeframe Word document, it encouraged users to ‘enable content’ to run a malicious Visual Basic macro.
The Typeframe report is the 12th malware family US-CERT has attributed to the Hidden Cobra group, including destructive malware, and tools for carrying out distributed denial-of-service attacks.
It also includes the malware implant Bankshot RAT, which was identified by US-CERT last December and resurfaced in March in a targeted phishing attack on Turkey’s financial sector via a malicious Word document with an embedded Adobe Flash Player exploit.
That exploit, thought to have been developed by North Korean hackers, was previously used in zero-day Flash attacks on South Korean targets.
US-CERT urged admins and users to give any activity related to Typeframe “the highest priority for enhanced mitigations”.
It also urged users to report any detections to DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).
Previous and related coverage
North Korean malware can steal data and spread across networks.
The cybersecurity arm of British intelligence services has reportedly suggested the global ransomware outbreak was launched from North Korea.
Lazarus, linked to the famous Bangladeshi bank heist, is probing Southeast Asia and Europe in the hunt for fresh targets.
An investigation undertaken by a coalition of security firms has found that the perpetrators of the 2014 Sony hack were active well before the breach, with North Korea avoiding accusation this time around.
New ‘HaoBao’ campaign also plants the seeds for additional espionage on targeted machines.
Deterring hackers is almost impossible when the rewards are so great and the risks are so low. Can anything stop them?