US Government Exposes North Korean Malware

US Cyber Command has uploaded North Korean malware samples to the VirusTotal aggregation repository, adding to the malware samples it uploaded in February.

The first of the new malware variants, COPPERHEDGE, is described as a Remote Access Tool (RAT) “used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities.”

This RAT is known for its capability to help the threat actors perform system reconnaissance, run arbitrary commands on compromised systems, and exfiltrate stolen data.

TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft’s Narrator.

The trojan “downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”

Last but not least, PEBBLEDASH is yet another North Korean trojan acting like a full-featured beaconing implant and used by North Korean-backed hacking groups “to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”

It’s interesting to see the US government take a more aggressive stance on foreign malware. Making samples public, so all the antivirus companies can add them to their scanning systems, is a big deal — and probably required some complicated declassification maneuvering.

Me, I like reading the codenames.

Lots more on the US-CERT website.

Posted on May 14, 2020 at 6:29 AM13 Comments

Comments

metaschima May 14, 2020 7:38 AM

It’s a good thing to make it public. Adding this to virus definitions is a good thing. However, antivirus won’t save you from something like this. The code can be easily modified to go under the radar of all antivirus. It’s way harder than that to defend against something like this (APT).

TimH May 14, 2020 9:28 AM

@Q: yes, if every country exposed their findings then that would be great… but why would they expose clever code as opposed to exploit it themselves? It’s the defence vs offense problem.

Rampage May 14, 2020 10:12 AM

I wouldn’t mind if they exposed everyone else’s malware in retaliation…. the problem is they’re probably just going to go on an attacking rampage instead (against US companies, and others)

Clive Robinson May 14, 2020 1:33 PM

@ ALL,

Let’s forget attribution for the moment, and just accept that all countries and corporations that can produce and use APT etc will do.

If we do we then get to the real questions of,

1, How come it’s in effect so easy to make malware?

2, How come it’s in effect so difficult to stop malware?

The answer of course is twofold,

1, Promiscuous ICT usage.
2, Piss Poor quality software.

Whilst there are effective solutions to “promiscuous usage” most modern “MBA Business Plans” don’t bother with “downsides” just “upsides” thus security at best gets lipservice.

As for the “Piss Poor Quality” software, were do you even start?

A scorched earth policy might be a consideration.

But at the end of the day the real take away about APT and other malware is,

    We have done it to our selves, and we have reaped what we have sown.

If and only if the entire industry acknowledges this and actually does what is necessary will APT and other Malware cease to be an issue…

Till then I hardly think it matters who is allegedly responsible for APT and other Malware, after all “naming” is not going to be “shaming” they are if not more patriotic as all those who work in the NSA and GCHQ et al.

The only way to stop “patriotic people” carrying out such activities is to make them obsolete by design…

That is you have to be “proactive” not very belatedly “reactive”.

Clive Robinson May 14, 2020 2:13 PM

@ Bruce,

Me, I like reading the codenames.

They are supposed to be “random”.

That is any two words from a long list of words.

However it’s become clear that such names as come to light of day are not as random as you would expect them to be.

Otherwise we would have “MADSCRIBE” and “TAINTEDBUSH” or perhaps the Dilbert Cartoon one where “Catbert” describes using a list of “celestial objects” and “scientific terms” to get project names and informing Dilbert that his was “URANUSHERTZ”.

Yan Levy May 14, 2020 7:45 PM

@Rampage Why shouldn’t they? The US occupational government is trying to commit genocide against their entire people, after all.

Jon May 14, 2020 8:13 PM

allegedly North Korean malware samples …
FTFY.

After all, isn’t the first debating rule of this administration “Accuse others of doing exactly what you’re doing”?

J.

Phaete May 15, 2020 6:03 AM

Another advantage of the snazzy sounding unique words they created is that they are easily recognised and indexed by any mass text or speech surveillance.

And we the public love to use them.
Much easier then KOR RAT APK v2.13 (as example) for us and for them and for them.

Ergo Sum May 15, 2020 7:15 AM

@Clive Robinson…

The answer of course is twofold,

1, Promiscuous ICT usage.
2, Piss Poor quality software.

An accurate, non-discriminating description of our present and future. Especially, if we take it in to account the inability of the governments to make even a feeble attempt to marginally control our privacy. Especially in the US…

Google it May 15, 2020 1:29 PM

@Yan Levy

indeed, bodies are strewn up and down every street, they are using bulldozers to pile them up, and then set fire to them…*

*do you really think living in the middle of a horrific apocalypse, you’d suddenly have an urge to fire up your tor browser and read schneier?

Pete May 18, 2020 4:32 AM

@Clive Robinson writes:

“However it’s become clear that such names as come to light of day are not as random as you would expect them to be.”

PEBBLEDASH? COPPERHEDGE?

I think they’re using definitions in Roger’s Profanisaurus. Wonder where they got that idea?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.