Overview

This report provides updates to North Korea's HIDDEN COBRA (Lazarus) toolset along with changes in their tactical operations. While their tactics, techniques, and procedures haven't changed significantly, the toolset updates indicate an advancement in their technical capability. HIDDEN COBRA has modified and/or created new malware toolsets including the previously reported HOPLIGHT trojan.

Tactics, Techniques, and Procedures

HOPLIGHT:

The HOPLIGHT modification involves a change in the packer used which is now Themida. A new payload was created to proxy and/or obfuscate traffic between infected hosts in the network. The SSL/TLS implementation hasn’t changed per the sample analyzed by CISA (Cybersecurity and Infrastructure Security Agency).

SLICKSHOES:

This new malware created by HIDDEN COBRA acts as a loader or a dropper depending on the scenario. The malware is written to the following file path: C:\Windows\Web\taskenc.exe and it’s built to beacon through a variety of created processes hooking to the C:\Windows\Web\taskenc.exe file operating much like Cobalt Strike. All the communication during the beaconing process is done through bespoke encoding methodologies. There’s a hardcoded C2 server with communications occurring every sixty seconds.

CROWDEDFLOUNDER:

This is a remote access trojan (RAT) that operates in the infected system’s memory. It’s packed using the Themida packer and uses 32-bit architecture. This malware is essentially malware-as-a-service and often comes packaged with other tools. The malware changes the local firewall settings (using the NETSH firewall command set) on the infecting host to allow communication between the software and the C2 server. Communication with the C2 server and any data transfers are encoded using rotating XOR. The malware can download DLL files from a specified URL and inject them into remote processes.

HOTCROISSANT:

This is another new beaconing tool from HIDDEN COBRA. All network traffic is encoded using XOR with C2 traffic limited to a specified hardcoded IP address over TCP Port 8088. When a host is successfully infected, some data is transferred such as the victim’s IP address, operating system version, and hardware specifications. Some notable functions include the ability to list all open windows, capturing the screen, reverse shell using cmd.exe, and the ability to search for files by the file name recursively.

ARTFULPIE:

This new tool operates as a downloader and a DLL injector. ARTFULPIE is built to download a file called thinkmeter[.]dll from a hardcoded URL and run it in memory. It loads the DLL file in the same address space in memory and calls the malicious file’s entry point. The callout to the hardcoded URL occurs over TCP Port 88.

BUFFETLINE:

This new tool operates as a tool to beacon and behaves like a RAT. The malware uses RC4 encoding hiding the network traffic using PolarSSL certificates. The malware first authenticates itself to the C2 server and then sends a hardcoded 32-byte string with an expected response. It collects information about the system such as the computer name, ANSI code page identifier, etc.

BISTROMATH:

This tool operates as a full-featured RAT with a CAgent11 implant builder/controller. The implant is built for system management purposes with the ability to perform reconnaissance. All network traffic is encoded using XOR. The malware checks the infected host to ensure it isn’t running in a sandbox/malware analysis environment. These checks look for files in the C:/sandbox file path, users on the system like malware, virus, sandbox, and others; it also checks for the presence of specific API calls in the system.

Impact

  • Could result in the loss of sensitive information via data exfiltration
  • May lead to unwanted network reconnaissance and the propagation of more malware in the environment

If allowed enough time, a foreign adversary could be able to gain valuable intelligence about your environment.

Recommendation

We strongly encourage reviewing the IOCs found in the AlienVault OTX and Sentinel One links

Consider implementing the following detection methodologies:

  • Snort rule: alert TCP any any -> any any (msg:"Malware Detected"; content:"PolarSSL"; pcre:"/ \x17\x03\x02\x00\x23.{39}\x17\x03\x02/"; rev:1; sid:99999999;)

  • LogRhythm rules:
    • AIE: C2: Abnormal Process Activity
    • AIE: HSv2 Exfiltration: Large Outbound Transfer
    • AIE: AVT - C2: Excessive Outbound Firewall Denies
    • AIE: Compromise: Malware Event
    • AIE: Compromise: Repeated Attacks Against Host

  • Monitor for traffic over ports with high numbers like 8088/TCP
  • Monitor for unusual file changes and additions using FIM (File Integrity Monitoring) which are covered by both AlienVault and LogRhythm

Sources

AlienVault OTX (Open Threat Exchange):

Supporting Documentation:

Threat Actor Analysis:

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe and is used internally by the Avertium CyberOps Team. The report outlines a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed detection and response service capabilities. 

 
Chat With One of Our Experts




Threat Report hotcroissant HIDDEN Cobra hoplight artfulpie crowdedflounder buffettline Blog