Feds Reveal Hidden Cobra’s Trove of Espionage Tools

hidden cobra tools revealed

The APT’s new cyber-attack tools are laid bare on three-year anniversary of WannaCry.

The U.S. Department of Homeland Security and Federal Bureau of Investigation have exposed what they say are hacking tools used by the North Korean-sponsored APT group Hidden Cobra. The disclosure was the result of a broad government effort to combat the advanced persistent threat group, who have been active for a number of years.

The agencies have published malware analysis reports (MARs) for three pieces of malware—Copperhedge, Taintedscribe and Pebbledash which the agencies said come from the toolbox of Hidden Cobra, according to a United States Computer Emergency Readiness Team (US-CERT) release posted late Tuesday.

“The information contained in the alerts and MARs listed above is the result of analytic efforts between the U.S. Department of Homeland Security, the U.S. Department of Defense, and the Federal Bureau of Investigation to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government,” according to the post.

Each of the documents includes malware samples as well as descriptions, suggested response actions and recommended mitigation techniques to help companies identify and fight attacks by North Korean state-sponsored actors.

The tools included in the documentation allow Hidden Cobra to perform nefarious tasks such as remotely take over systems and steal information as well as install spyware on targeted systems to perform espionage activities.

The government released its documentation of the malware on an auspicious date—the third anniversary of the infamous WannaCry attack that impacted more than 300,000 machines in 150 countries, causing unprecedented financial damage and crippling companies who were infected. The attack eventually was attributed to North Korea in December 2017.

Copperhedge is a full-featured remote access tool that can run arbitrary commands, performing system reconnaissance, and exfiltrate data, according to its documentation. It is one of six distinct variants of the malware classified under a family of tools called Manuscrypt; each variant is categorized based on common code and a common class structure, researchers said.

Taintedscribe is a full-featured beaconing implant, including its command modules. Samples posted uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register algorithm, according to US-CERT.

The main executable of this tool disguises itself as Microsoft’s Narrator to download a command execution module from a command and control (C2) server. At this point, Tainted Scribe can  download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration, researchers said.

Pebbledash also is a full-featured beaconing implant that also uses FakeTLS for session authentication as well as for network encoding using RC4, but without command modules, according to the post. This piece of malware can download, upload, delete and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration, according to US-CERT.

The U.S. authorities have had Hidden Cobra in their crosshairs for a number of years and have been tracking the activities of the group, which typically target financial institutions.

In 2017, US-CERT first warned it believed North Korean attackers operating a campaign called Hidden Cobra targeting U.S. businesses with malware- and botnet-related attacks that they identified as Hidden Cobra.

Since then, several attacks have been attributed to the group. One in 2018 targeted organizations in the media, aerospace, financial and critical infrastructure sectors with two types of malware—a RAT dubbed Joanap; and a Server Message Block (SMB) worm called Brambul–that could steal sensitive and proprietary information, disrupt regular operations, and disable systems and files.

Last year, Hidden Cobra struck again, using a never-before-seen spyware variant called Hoplight to target U.S. companies and government agencies in active attacks.

Authorities urge organizations to report any activity they discover associated with the malware to the Cybersecurity and Infrastructure Security Agency or the FBI Cyber Watch.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.


Suggested articles