Date: 14 February 2020
Author: Christopher Kim
1. Executive Summary
On 14 February, the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) jointly published seven Malware Analysis Reports (MARs) regarding the following malware variants: HOPLIGHT, BISTROMATH, SLICKSHOES, CROWDEDFLOUNDER, HOTCROISSANT, ARTFULPIE, and BUFFETLINE. The reporting agencies attributed these malware variants to the North Korean government, whose malicious cyber activities are commonly referred to as HIDDEN COBRA.
All of the malware variants use a remote access trojan (RAT) to send victim information to a hardcoded command and control (C2) IP address. The RAT payload can either be fetched from a download URL, or directly written to a specific file location on the infected machine if it was embedded in a dropper. The RAT can be loaded into memory and can then initiate connections with its C2, or it can be installed as a proxy service that listens for inbound packets containing commands. According to the MARs, the HIDDEN COBRA actor(s) used encryption languages, such as XOR cipher and Rivest Cipher 4 (RC4), as well as fake transport layer security (TLS) headers in an attempt to obfuscate their network communications.
The MARs did not identify any actual or intended victims, but HIDDEN COBRA activity has historically been focused against the media, aerospace, and financial industries, as well as other critical infrastructure industries.3 The following advisories from the Infoblox Cyber Intelligence Unit provide additional information and context about past HIDDEN COBRA activity:
- HIDDEN COBRA: BADCALL (Sep 2019)
- HIDDEN COBRA: ELECTRICFISH (May 2019)
- HIDDEN COBRA: HOPLIGHT (Apr 2019)
- HIDDEN COBRA: FASTCash (Oct 2018)
- HIDDEN COBRA: Keymarble (Aug 2018)
- HIDDEN COBRA: Typeframe (June 2018)
- HIDDEN COBRA: Brambul Worm & Joanap RAT (May 2018)
- HIDDEN COBRA: Fallchill RAT & Volgmer Trojan (Nov 2017)
All of the MARs except for the one on ARTFULPIE described functions of the RATs. The reports were consistent and included capabilities such as conducting system surveys, uploading and downloading files, executing processes and commands, and performing screen captures. Communication between the RAT and C2(s) were always encrypted with XOR cipher or RC4. The reporting agencies described ARTFULPIE as a downloader that loads a .dll extension file payload to the computer memory, but did not provide further details.
According to the MAR, analysts found at least 20 malicious executable files pertaining to HOPLIGHT. Most of these files are proxy applications that serve to mask traffic between the malware and the remote operators. These proxies are capable of generating fake TLS handshake sessions using valid public secure sockets layer (SSL) certificates, which allow malicious actors to further disguise HOPLIGHT’s network connections with remote systems.
One of HOPLIGHT’s files contains a public SSL certificate along with a payload that appears to be encoded with a password or key. Another file does not contain any public SSL certificates, but attempts outbound connections and drops several files.
The BISTROMATH malware uses a graphical user interface (GUI) controller named CAgent<version_number> (e.g. Cyber Agent v11.0) to dynamically build and run RATs on the infected machine. The reporting agencies identified nine executables that were associated with BISTROMATH operations, and confirmed that five of them were RAT payloads and two were GUI controllers. When the controller builds the RAT, it dynamically defines the values for the following options:
- Callback IP (C2 IP address)
- Callback Port (Port number of the C2 IP address)
- Beacon Interval (Wait time before re-attempting a connection to the C2)
- Output Path (Write location for RAT payload)
The RAT profiles the infected device via system surveys and sends the below information to the C2 IP address, which is hardcoded into the RAT binary. Additionally, the RAT has other spying capabilities, such as monitoring the microphone, clipboard, and computer screen. When the malware sends data packets to the C2, it encodes data after the header via XOR cipher with the XOR key 0x07. In one instance, the agencies saw communications to the hard coded address 159[.]100[.]250[.]231 over port 8080 using TCP.
- Implant_Version = "11.0"
The attacker views and manages victim information through the CAgent11 GUI controller. The controller has functions for establishing a remote desktop viewer, performing network drive enumeration, uploading/downloading files, listing running processes and services, setting a reverse shell, capturing and recording computer microphone activity, running keyloggers, monitoring browser activity, collecting cached passwords, dynamic link library (DLL) loading and unloading, and updating download payload locations within the RAT binaries. It also has the option to uninstall the RAT from the infected machine.
SLICKSHOES uses a dropper malware packed using the Themida software protection system. It decodes an embedded payload and drops the file at C:\Windows\Web\taskenc.exe. The dropper does not execute it however; nor does it create any auto-run keys or scheduled tasks that run it. The taskenc.exe file is a RAT-like tool that makes calls over port 80 every 60 seconds to a C2 IP address (188[.]165[.]37[.]168), which is hardcoded into the taskenc.exe binary. Data packets sent to the C2 are also encoded using a unique algorithm. SLICKSHOES comes with many features, including conducting system surveys, uploading and downloading files, executing processes and commands, and taking screen captures.
CROWDEDFLOUNDER consists of a 32-bit Windows dropper that the threat actor(s) packed using Themida software. When the executable is launched, it unpacks an embedded RAT binary and loads it into memory. The RAT can accept dynamic argument values during execution or it can be directly installed as a service with command line arguments.
When the RAT is executed, it modifies the Windows Firewall configuration on the victim’s machine using the "netsh firewall add portopening" command to allow inbound and outbound connections. The RAT can be enabled as a proxy that listens for incoming connections containing commands, or directly connects to its C2 to fetch them.
Similar to BISTROMATH, HOTCROISSANT also uses a RAT to profile the infected machine and make calls to its C2. The reporting agencies used static analysis to determine that HOTCROISSANT performs malicious functions, including conducting system surveys, uploading and downloading files, executing processes and commands, and performing screen captures. HOTCROISSANT encodes the data packets that it sends to the C2 using a custom XOR cipher algorithm.
ARTFULPIE uses a downloader to fetch an executable from a hardcoded URL hXXp://193[.]56[.]28[.]103:88/xampp/thinkmeter[.]dll with the browser user-agent string "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)." It then loads .dll file contents into the infected computer's memory. The reporting agencies did not mention the identity of the downloaded payload in the MAR report.
BUFFETLINE is a RAT that attempts to mask its usage of network functions using a customized RC4 encryption algorithm to obfuscate strings used for API lookups, as well as strings used during the network handshake. It uses API calls such as LoadLibrary() and GetProcessAddress() to load DLLs.
The RAT binary is hardcoded with a plain text C2 IP address, and initiates a connection to it by performing a PolarSSL handshake using TLS version 1.1. The RAT does not use the session key generated via the PolarSSL TLS in its following communications; instead, it sends packets containing a fake TLS header encrypted with a custom XOR cipher. The RAT then waits for commands from its C2 after sending victim information.
3. Prevention and Mitigation
The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following mitigation techniques to defend against attacks related to HIDDEN COBRA. CISA also stresses that it is crucial to review system configuration changes with system owners and administrators before implementing them because users may face unwanted impacts that can damage their business.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
4. Indicators of Compromise (IOCs)
HOPLIGHT C2 / Proxy
HOPLIGHT executable SHA256
HOPLIGHT SHA256 for dropped files
BISTROMATH RAT SHA256
BISTROMATH CAgent Controller/Builder SHA256
BISTROMATH PE32 executable SHA256
SLICKSHOES dropper SHA256
CROWDEDFLOUNDER dropper SHA256
HOTCROISSANT RAT SHA256
ARTFULPIE downloader SHA256
ARTFULPIE payload download location
BUFFETLINE RAT SHA256