US Government Exposes North Korean Malware
US Cyber Command has uploaded North Korean malware samples to the VirusTotal aggregation repository, adding to the malware samples it uploaded in February.
The first of the new malware variants, COPPERHEDGE, is described as a Remote Access Tool (RAT) “used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities.”
This RAT is known for its capability to help the threat actors perform system reconnaissance, run arbitrary commands on compromised systems, and exfiltrate stolen data.
TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft’s Narrator.
The trojan “downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”
Last but not least, PEBBLEDASH is yet another North Korean trojan acting like a full-featured beaconing implant and used by North Korean-backed hacking groups “to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”
It’s interesting to see the US government take a more aggressive stance on foreign malware. Making samples public, so all the antivirus companies can add them to their scanning systems, is a big deal—and probably required some complicated declassification maneuvering.
Me, I like reading the codenames.
Lots more on the US-CERT website.
Subscribe to comments on this entry
metaschima • May 14, 2020 7:38 AM
It’s a good thing to make it public. Adding this to virus definitions is a good thing. However, antivirus won’t save you from something like this. The code can be easily modified to go under the radar of all antivirus. It’s way harder than that to defend against something like this (APT).