The U.S. Department of Homeland Security (DHS) and FBI released a public statement accusing North Korea of controlling the Joanap trojan and Brambul worm. In a joint technical alert, the agencies said they and "trusted third parties" had evidence connecting the malware to the North Korean government, whose "malicious cyber activities" are collected by U.S. government agencies and referred to as HIDDEN COBRA.
According to the agencies, HIDDEN COBRA has used Joanap and Brambul since at least 2009 to target "the media, aerospace, financial, and critical infrastructure sectors" in the U.S. and other countries. Despite their differing methods, Joanap and Brambul are both used to compromise target devices and steal information from them. Both pieces of malware can also be used to gain remote access to the affected devices.
Joanap is a Remote Access Trojan (RAT) that spreads via other malware used by HIDDEN COBRA or by tricking people into downloading malicious files. The agencies said Joanap can be used to "exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device." It can also be used to manage botnets used by other operations, the agencies said, and network nodes.
The U.S. government found 87 nodes connected to Joanap across China, Pakistan, and other countries around the world. Brambul, meanwhile, brute-forces its way through a network after it's installed by a dropper malware. Once the worm is installed, it attempts to spread through a network by exploiting weak user security (such as bad passwords) and improperly secured network shares while sending info to HIDDEN COBRA.
DHS and the FBI said Brambul could be remotely used for
- harvesting system information,
- accepting command-line arguments,
- generating and executing a suicide script,
- propagating across the network using SMB,
- brute forcing SMB login credentials, and
- generating Simple Mail Transport Protocol email messages containing target host system information.
The agencies warned that Joanap and Brambul's capabilities threaten victims' ability to protect proprietary information, threaten daily operations, and run the risk of incurring financial losses or hits to the victims' reputation as they attempt to respond to the attack. They advised organizations to make sure they're up-to-date with security patches, restrict users' privileges, and to disable Microsoft's File and Printer Sharing service.
You can learn more about HIDDEN COBRA on its dedicated U.S.-CERT page.