Today the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint Technical Alert (TA) identifying two families of malware–dubbed Joanap and Brambul–used by the North Korean government.
The new TA is part of a larger investigation into malicious cyber activity by the North Korean government, which the U.S. government calls HIDDEN COBRA. However, this isn’t the first TA of 2018 regarding a foreign nation’s malicious cyber activity; DHS released a similar alert in March about a large-scale Russian cyber campaign targeting U.S. infrastructure
Joanap is a remote access tool (RAT). It uses a two-stage process to establish peer-to-peer communications and manage botnets designed to enable other operations. “Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device,” the alert said.
Brambul is a malicious Windows 32-bit Server Message Block (SMB) worm. It functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware, the alert said. “When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets,” the alert continued. “If successful, the application attempts to gain unauthorized access via the SMB protocol by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.”
The alert also includes suggested response actions, including keeping operating systems and software up-to-date with the latest patches, maintaining active antivirus software, scanning for and removing suspicious email attachments, and restricting users’ abilities to install and run unwanted software applications. If users or administrators detect activity associated with Joanap or Brambul, the alert said they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center or the FBI Cyber Watch, and give it the highest priority for enhanced mitigation.