As part of what has become an ongoing, calculated strategic plan, the U.S. government has published detailed reports exposing three new malware tools it says are being used by state-sponsored attackers associated with the North Korean government.
On Tuesday, the FBI, Department of Homeland Security, and Department of Defense released a series of joint malware analysis reports on individual tools the agencies refer to as Copperhedge, Taintedscribe, and Pebbledash. The three pieces of malware are part of an arsenal used by attack groups that the U.S. government refers to as Hidden Cobra, a catch-all name for North Korean actors associated with that country’s government. Although there is no shortage of state-sponsored attack groups active at any given time, many of which run offensive operations against targets in the United States, U.S. agencies have focused much of their public attention on singling out tools, tactics, and intrusions attributed to North Korean groups.
Beginning in 2017, the Cybersecurity and Infrastructure Security Agency (CISA) arm of DHS has publicly cataloged dozens of individual pieces of malware it attributes to HIdden Cobra actors, including trojans, backdoors, and remote access tools. One of the tools the agency exposed Tuesday is a remote access tool (RAT) called Copperhedge that is targeted at Windows systems. CISA found numerous versions of the tool, which is part of the Manuscrypt family of malware. Researchers have attributed Manuscrypt malware to the North Korean APT group known as Lazarus. Manuscrypt malware variants have been used in attacks on diplomatic targets in the past.
“The Manuscrypt family of malware is used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a full-featured Remote Access Tool (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Six distinct variants have been identified based on network and code features,” the CISA malware analysis report says.
“The variants are categorized based on common code and a common class structure. A symbol remains in some of the implants identifying a class name of ‘WinHTTP_Protocol’ and later ‘WebPacket’.”
The other two tools disclosed by CISA Tuesday, Pebbledash and Taintedscribe, are both implants that are used to maintain persistence on target machines and perform other tasks, such as network discovery.
“These samples uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator. It downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration,” the description of Taintedscribe says.
Pebbledash has similar functionality, and as has been the case in the past, CISA has uploaded samples of each of the newly disclosed malware tools to the VirusTotal site for public sharing and analysis.
In April, the FBI published an advisory warning organizations to be wary of continued financially motivated attacks from North Korean actors.
“Many DPRK cyber actors are subordinate to UN- and U.S.-designated entities, such as the Reconnaissance General Bureau. DPRK state-sponsored cyber actors primarily consist of hackers, cryptologists, and software developers who conduct espionage, cyber-enabled theft targeting financial institutions and digital currency exchanges, and politically-motivated operations against foreign media companies. They develop and deploy a wide range of malware tools around the world to enable these activities and have grown increasingly sophisticated,” the advisory says.