US issues warning about North Korean malware

US government has identified more than 85 networks compromised by two malware families believed to be North Korean in origin

The US Computer Emergency Readiness Team (US-Cert) has issued a technical alert about two families of malware used by the North Korean government.

US-Cert said the alert was the result of analytic efforts between the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

Working with US government partners, the DHS and FBI identified IP addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government, the alert said.

One is a remote access Trojan (RAT), commonly known as Joanap, and the other is a server message block (SMB) worm, commonly known as Brambul.

The FBI has “high confidence” that North Korean actors are using the associated set of IP addresses to maintain a presence on victims’ networks and enable network exploitation, the alert said.

“The DHS and FBI are distributing these IP addresses and other IOCs to enable network defence and reduce exposure to any North Korean government malicious cyber activity,” it added.

The US government has identified more than 85 compromised networks. The addresses are being distributed, along with suggested remediation actions.

Anyone detecting activity associated with these malware families should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation, the alert said.

US authorities believe it is “likely” that North Korean actors have been using Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the US, including the media, aerospace, financial and critical infrastructure sectors.

Joanap malware is a fully functional RAT that can receive multiple commands, which can be issued by operators remotely from a command and control server. The alert said Joanap typically infects a system as a file dropped by other malware, which users unknowingly download either when they visit sites compromised by North Korean actors, or when they open malicious email attachments.

Read more about WannaCry

  • The National Crime Agency believes the recent WannaCry attacks represent a “signal moment” in terms of awareness of cyber attacks and their real-world impact.
  • Computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, while NHS suppliers are blamed for hampering patching by NHS trusts.
  • Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack.
  • A failure by many organisations to take cyber security seriously has long been blamed on the lack of a single significant event to shake things up.

The alert warned that malware often infects servers and systems without the knowledge of system users and owners. “If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks,” it said.

US authorities believe Joanap is used to establish peer-to-peer communications and to manage botnets designed to enable other operations, and that it enables North Korean actors to exfiltrate data, drop and run secondary payloads, and initialise proxy communications on a compromised Windows device. The malware also encodes data using Rivest Cipher 4 encryption to protect its communication.

Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks, the alert said.

An exploit of the SMB protocol was a key component of the WannaCry attacks in May 2017 that the UK and US governments blamed on North Korea in December 2017.

Analysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured network shares. Once the malware establishes unauthorised access on the victim’s systems, it communicates information about the systems to North Korean actors using malicious email addresses.

The alert warned that a successful network intrusion can have severe impacts, particularly if the compromise becomes public. Possible impacts include temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organisation’s reputation.

The alert recommends that organisations:

  • Keep operating systems and software up to date with the latest patches because most attacks target vulnerable applications and operating systems.
  • Maintain up-to-date antivirus software and scan all software downloaded from the internet before executing.
  • Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of least privilege to all systems and services.
  • Scan for and remove suspicious email attachments. If a user opens a malicious attachment and enables macros, embedded code will execute the malware on the machine.
  • Disable Microsoft’s File and Printer Sharing service, if not required by the user’s organisation. If this service is required, use strong passwords or Active Directory authentication.
  • Enable a personal firewall on organisation workstations and configure it to deny unsolicited connection requests.

The alert coincides with North Korea sending a top adviser to New York to prepare for a possible summit on its nuclear arsenal between US president Donald Trump and North Korean leader Kim Jong Un.

Read more on Hackers and cybercrime prevention