US Government Discovers New North Korean Malware Variants: COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH

May 15, 2020

Tracked as HIDDEN COBRA, the North Korean government-backed hacker group, is leveraging new malware variants in ill-natured cyberattack campaigns. Recently, the US government published information on these new malware variants.

What’s going on?

  • As per the reports released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD), the cyber actors of Democratic People’s Republic of Korea (DPRK) are using the new malware for phishing and remote access.
  • The aim is to conduct illegal activities, steal funds, and bypass sanctions.
  • Also, the US Cyber Command has uploaded five samples of the newly discovered malware variants in VirusTotal, a malware aggregation repository.
  • The CISA has published comprehensive malware analysis reports (MARs) comprising indicators of compromise (IOCs) and YARA rules for every detected sample.
  • The MARs are issued to help network defenders detect and minimize the exposure to malicious activities of HIDDEN COBRA.

The three newly discovered Malware variants

  • COPPERHEDGE, one of the new malware variants, is a remote access tool (RAT) employed by advanced persistent threat (APT) groups to target cryptocurrency exchanges and associated entities. The RAT is capable of helping threat actors perform system surveys, run arbitrary commands on compromised systems, and exfiltrate stolen data.
  • The other variant, TAINTEDSCRIBE, is a trojan that behaves as a fully-featured beaconing implant integrated with command modules. Masquerading as Microsoft’s Narrator, the trojan can download its command execution module from a command and control (C2) server and then download, upload, delete, and execute files.
  • PEBBLEDASH is the third trojan that acts like a beaconing implant and allows North Korean hacking groups to download, upload, delete, and execute files. It enables Windows CLI access, creates and terminates processes, and performs target system enumeration.

The deeds of HIDDEN COBRA

  • In April, the US government issued guidelines on North Korean hacking activities and offered a $5 million reward for any information on DPRK hackers’ illegal activities. 
  • During 2017 and 2018, the DPRK-sponsored hacking groups were behind cryptocurrency heists that led to losses of $571 million. Later in 2019, the US Treasury issued sanctions against the three North Korean hacking groups, namely, Lazarus, Andariel, and Bluenoroff. 
  • In 2019, the FBI and CISA issued information on two malware, ELECTRICFISH and HOPLIGHT, leveraged by the North Korean APT group, Lazarus. While the malware ELECTRICFISH was used to steal data, HOPLIGHT trojan was employed to mask malicious traffic.

Read the original article and additional information at Cyware Social