US cybersecurity agency warns about North Korean malicious activities

Three new malware strains used by North Korean hackers exposed right around the WannaCry anniversary

The new North Korean malware strains reported

The new North Korean malware strains reported

Cyber-security officials expose new North Korean malware named COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH.[1] Experts published details about three strains used by the government-sponsored hacker group dubbed Hidden Cobra, but also known as Lazarus group. The report is released around the WannaCry ransomware outbreak three-year anniversary.[2] The infection was extremely popular and created much damage in various industries because this ransomware is responsible for gaining more than $571 million of cryptocurrency from victims of financially-motivated malware attacks.[3]

DHS CISA, the FBI, and DOD recommend mitigation techniques and urges organizations to review these reports on three recent malware variants tied to the notorious hacker group. These threats can remotely interfere with the machine and exfiltrate sensitive information from the targeted system and perform other processes Hidden Cobra hacker group sets the malware for.[4] The report lists all the activities related to the group dating from 2017, up to this May when the remote access tool and two trojans were detected and investigated.

Functions of sophisticated malware

The latest malware strains exposed on May 12th are confirmed to linked with North Korean hacker groups, and samples revealed similarities other threats used before. In these three years, DHS has already published 28 reports on particular malware strains related to the government-sponsored Lazarus group.

COPPERHEDGE – a remote access trojan or RAT that can run arbitrary commands and exfiltrate data. This strain is used by hackers that target cryptocurrency exchanges and similar entities. Researchers identify at least six different versions of the RAT.

TAINTEDSCRIBE is the malware implant or a trojan that can get installed on the system to receive and execute any commands attackers sends its way. It functions as a backdoor that hides as Microsoft’s Narrator screen reader tool to download malicious scripts from the C&C server. It can inject any malware payload on the hacked device.

PEBBLEDASH – another trojan that can download, upload, delete, and run various files. It also manages to enable Windows CLI access, create or terminate any processes, trigger system enumeration that is used to gather usernames, hostnames, network shares, and other data. This process establishes a connection to targeted hosts and can be sued to further exploit the system once potential attack vectors are discovered.

The anniversary of WannaCry marking three years since alerts about North Korean hackers started

WannacCry ransomware[5] was one of the biggest and the most notorious cryptovirus examples. The threat leveraged a Windows SMB exploit and managed to hijack unpatched Windows devices and demand payments from victims for locked files. The U.S has sanctioned the hacker group and more hackers that have been working on behalf of the North Korean attackers. 

However, at first, the ransomware activity was linked with the Pyongyang regime, and charges were pressed against multiple people. North Korean programmer Park Jin Hyok is one of many hackers behind the malware outbreak and also a government employee that has been sentenced for hacking activities. 

The hacker that was called a savior for creating the WannaCry killswitch also has spoken recently.[6] There were many misconceptions and investigations because Marcus Hutchins was accused of spreading other malware when his WannaCry-fighting activities surfaced. He faced charges and was almost sentenced to ten years in jail. But the successful career in the field of cybersecurity made him a free man and saved many people from the notorious malware.