U.S. Cyber Command Shares More North Korean Malware Variants

The United States Cyber Command (USCYBERCOM) has uploaded five malware samples to VirusTotal total today, which it has attributed to the North Korean threat group Lazarus.

Since November 2018, USCYBERCOM has shared numerous malware samples as part of a project started by its Cyber National Mission Force (CNMF), including malicious files attributed to nation states from North Korea, Russia, and Iran

In September last year, it shared with the popular scanning engine 11 samples attributed to Lazarus, which the U.S. refers to as “Hidden Cobra.” 6 other samples were added in February this year. 

Today, USCYBERCOM shared five more files, four of which appear to have been created in 2018, and one dated 2017. 

These files are samples of three malware families that the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) are calling COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH. 

Two of the samples have high detection rates on VirusTotal, with more than 35 of the 71 antivirus engines recognizing them as malicious. One of the files appears to be a variant of Destover that was initially spotted in 2017.

COPPERHEDGE is the malware family that many security companies track as Manuscrypt, and which has been used in previous attacks on cryptocurrency exchanges and related entities.

A full-featured Remote Access Tool (RAT), Manuscrypt provides attackers with support for running arbitrary commands on the compromised machines, perform system reconnaissance, and exfiltrate data deemed of interest. 

Analysis of network and code features has revealed the existence of six distinct variants of the malware, USCYBERCOM says. 

TAINTEDSCRIBE is described as a full-featured beaconing implant that is accompanied by its command modules. The malware can download/upload/delete/execute files, enable Windows CLI access, create/terminate processes, and enumerate the target system. 

“These samples uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator,” USCYBERCOM explains. 

PEBBLEDASH, another full-featured beaconing implant that also uses FakeTLS for session authentication, but uses RC4 for network encoding, has similar capabilities. 

The samples appear to share some code similarities that result in some detection engines identifying them as variants of the NukeSped RAT, something that was observed with previously shared malware samples as well. 

Related: USCYBERCOM Shares More North Korean Malware Samples

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *