SMB malware, Hidden Cobra strikes again.
Hidden Cobra is mounting active attacks on U.S. businesses, including organizations in the media, aerospace, financial and critical infrastructure sectors. According to a United States Computer Emergency Readiness Team bulletin released Tuesday, the state sponsored group is using two malware families. A remote access tool dubbed Joanap, and a Server Message Block worm known as Brambul. Neither is new, they first appeared in 2009. However, both have modern tricks. The hackers are targeting sensitive and proprietary information, and the malware could disrupt regular operations and disable systems and files
Joanap is a fully functional RAT acts as the payload in various phishing or drive-by attacks. Hidden Cobra uses it to steal data and host system information, drop and run secondary attacks, and initialize proxy and peer-to-peer communications on compromised Windows devices. It uses Rivest Cipher 4 encryption to communicate with the C2. It also has the ability to manage botnets for other types of operations, and can carry out file management, process management, the creation and deletion of directories, and node management.
Brambul is a Windows 32-bit brute force authentication worm that spreads through SMB, the Windows file-sharing protocol that enables shared access to files between users on a network. SMB is the point of compromise targeted by leaked National Security Agency hacking tools like EternalBlue and EternalRomance. Brambul targets insecure or unsecured user accounts and spreads through poorly secured network shares. It shows up looking like a service dynamic link library file or a portable executable file and once executed, it spread to other subnets and systems on the network. If successful, the application attempts to gain access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. The malware generates random IP addresses for further attacks. Once active on a system, Brambul sets about harvesting system information and sending it back to Hidden Cobra via malicious email messages. It can also accept command-line arguments, and it has a self-kill mechanism.
Hidden Cobra, aka the Lazarus Group, has been on the radar screen for some time. It was linked to the Sony Pictures hack as well as the SWIFT banking attacks. More recently, last June the group was seen leveraging malware called DeltaCharlie, which is the brains behind North Korea's distributed denial-of-service botnet infrastructure. In April, Thailand's Computer Emergency Response Team seized a server operated by the APT, which is part of the network used to control the global GhostSecret espionage campaign. McAfee warned at the time that the GhostSecret campaign was carrying out data reconnaissance on a wide number of industries, including critical infrastructure, entertainment, finance, healthcare and telecommunications, in at least 17 countries.
To protect against this threat, users and administrators should follow best practices, especially maintaining up to date patching and antivirus. Enabling workstation firewalls is another mwasure to take as well as implementing email and download scanning to quarantine or block suspicious attachments and files. Administratos should consider restricting user permissions for software installations and disabling Microsoft's File and Printer Sharing service, if it is not needed.