US Says North Korea Is Behind Joanap, Brambul Malware

By Nathaniel Mott
published

The U.S. Department of Homeland Security (DHS) and FBI released a public statement accusing North Korea of controlling the Joanap trojan and Brambul worm. In a joint technical alert, the agencies said they and "trusted third parties" had evidence connecting the malware to the North Korean government, whose "malicious cyber activities" are collected by U.S. government agencies and referred to as HIDDEN COBRA.

According to the agencies, HIDDEN COBRA has used Joanap and Brambul since at least 2009 to target "the media, aerospace, financial, and critical infrastructure sectors" in the U.S. and other countries. Despite their differing methods, Joanap and Brambul are both used to compromise target devices and steal information from them. Both pieces of malware can also be used to gain remote access to the affected devices.

Joanap is a Remote Access Trojan (RAT) that spreads via other malware used by HIDDEN COBRA or by tricking people into downloading malicious files. The agencies said Joanap can be used to "exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device." It can also be used to manage botnets used by other operations, the agencies said, and network nodes.

The U.S. government found 87 nodes connected to Joanap across China, Pakistan, and other countries around the world. Brambul, meanwhile, brute-forces its way through a network after it's installed by a dropper malware. Once the worm is installed, it attempts to spread through a network by exploiting weak user security (such as bad passwords) and improperly secured network shares while sending info to HIDDEN COBRA.

DHS and the FBI said Brambul could be remotely used for

  • harvesting system information,
  • accepting command-line arguments,
  • generating and executing a suicide script,
  • propagating across the network using SMB,
  • brute forcing SMB login credentials, and
  • generating Simple Mail Transport Protocol email messages containing target host system information.

The agencies warned that Joanap and Brambul's capabilities threaten victims' ability to protect proprietary information, threaten daily operations, and run the risk of incurring financial losses or hits to the victims' reputation as they attempt to respond to the attack. They advised organizations to make sure they're up-to-date with security patches, restrict users' privileges, and to disable Microsoft's File and Printer Sharing service.

You can learn more about HIDDEN COBRA on its dedicated U.S.-CERT page.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

Topics
Security
8 Comments Comment from the forums
  • stdragon
    With a name like Hidden Cobra, you can be sure Destro is behind this.
    Reply
  • lperreault21
    North Korea has Internet?!? I thought there best technology was like a 80-90s PC
    Reply
  • stdragon
    21014478 said:
    North Korea has Internet?!? I thought there best technology was like a 80-90s PC

    More like state wide Intranet. All traffic is white-listed, and even then only the elite get special limited access to the outside world.

    The official operating system as I recall is Red Star OS, which is a closed-source version of Linux loaded with spyware to snitch on the citizens that use it.
    Reply
  • ElectrO_90
    Don't you love how America never blames itself for any of the problems around the world, including all the hacks they do on other countries with their own software, which was proved.
    Reply
  • Colif
    But its okay if they do it. Like interfering in other countries is fine if its them doing it, second any country tries to do it back and they complain and act like its the end of the world.

    Wikileaks shows any country can make any attack look like someone else did it. So that blows away much of the evidence.
    Reply
  • ElectrO_90
    21014759 said:
    But its okay if they do it. Like interfering in other countries is fine if its them doing it, second any country tries to do it back and they complain and act like its the end of the world.

    Wikileaks shows any country can make any attack look like someone else did it. So that blows away much of the evidence.

    Spot On!
    We cry because Russia interfered with our election... but we also interfere in other countries democratic process (but thats OK!)
    Team America - anyone? hahaha
    Reply
  • lperreault21
    21014486 said:
    21014478 said:
    North Korea has Internet?!? I thought there best technology was like a 80-90s PC

    More like state wide Intranet. All traffic is white-listed, and even then only the elite get special limited access to the outside world.

    The official operating system as I recall is Red Star OS, which is a closed-source version of Linux loaded with spyware to snitch on the citizens that use it.

    well, that makes sense

    Reply
  • compprob237
    Yet another case of the pot calling the kettle black. I guess the NSA is just a bunch of Angels.
    Reply