Incident Of The Week: RAT Malware Strains Believed To Be N. Korean



Dan Gunderman
02/16/2018

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a joint report from the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) detailing the dangers of two Trojan malware packages. It’s believed to be the work of Hidden Cobra, aka the Lazarus Group – threat actors who’ve been pegged to the authoritarian North Korean government.

Both malware strains – called HARDRAIN and BADCALL – have the ability to install a remote access tool (RAT) payload on Androids. Windows systems are then drawn in as proxy servers, which disguises command-and-control communications.

The analysis of HARDRAIN and BADCALL comes from a Malware Analysis Report (MAR) between the agencies. The malicious activity has since been attributed to Hidden Cobra, the umbrella term for illicit cyber activity at the hands of the Kim Jong Un-led North Korean government.

See Related: Incident Of The Week: Gov. Transit Agency Attacked By N. Korean Malware

According to the report, “The FBI has high confidence that Hidden Cobra actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.”

The first two files are “32-bit Windows executables that function as proxy servers and implement a ‘Fake TLS’ method.”

The report notes that a “third file is an Android Package Kit (APK) file designed to run on Android platforms as a fully functioning RAT.”

According to the BADCALL report, the APK is “capable of recording phone calls, taking screenshots using the device’s embedded camera, reading data from the contact manager, and downloading and uploading data from the compromised Android device.” Further, it can execute commands and scan open Wi-Fi networks.

See Related: Incident Of The Week: Media Site Targeted In DDoS Attack, Method On The Rise

The US-CERT report warns users or administrators to flag activity associated with the malware variants, and report it to the DHS National Cyber Security and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).

But their caution doesn’t stop there. The joint report also offers mitigation tips for users and administrators. The best practices, the report notes, could “strengthen the security posture of an organization’s systems.”

The tips:
• Maintain up-to-date antivirus signatures and engines
• Restrict users’ ability (permissions) to install and run unwanted software applications
• Enforce a strong password policy and implement regular password changes
• Exercise caution when opening email attachments (even if the sender is known)
• Keep operating system patches up-to-date
• Enable a personal firewall on agency workstations
• Disable unnecessary services on agency workstations and servers
• Scan for and remove suspicious email attachments
• Monitor users’ web browsing habits
• Restrict access to sites with unfavorable content
• Exercise caution when using removable media
• Scan all software downloaded from the internet prior to executing
• Maintain situational awareness of the latest threats

It appears that the Lazarus Group, whose name has biblical roots, has multiplied its efforts of late. The allegedly state-sponsored group is also believed to be behind the “HaoBao” campaign. In it, Lazarus phishes users via email by posing as recruiters. Their target: Bitcoin users and global financial organizations, according to McAfee.

If a suspicious attachment is opened, the malware scans for Bitcoin activity and injects an implant for future reconnaissance.

Be Sure To Check Out: Incident Of The Week: DDoS Attack Hits 3 Banks Simultaneously