HIDDEN COBRA Malware Updates

samanna · ‎02-14-2020

Date: 14 February 2020

TLP:WHITE

Author: Christopher Kim

1. Executive Summary

On 14 February, the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) jointly published seven Malware Analysis Reports (MARs) regarding the following malware variants: HOPLIGHT,^[1] BISTROMATH,^[2] SLICKSHOES,^[3] CROWDEDFLOUNDER,^[4] HOTCROISSANT,^[5] ARTFULPIE,^[6] and BUFFETLINE.^[7] The reporting agencies attributed these malware variants to the North Korean government, whose malicious cyber activities are commonly referred to as HIDDEN COBRA.^[8]

All of the malware variants use a remote access trojan (RAT) to send victim information to a hardcoded command and control (C2) IP address. The RAT payload can either be fetched from a download URL, or directly written to a specific file location on the infected machine if it was embedded in a dropper. The RAT can be loaded into memory and can then initiate connections with its C2, or it can be installed as a proxy service that listens for inbound packets containing commands. According to the MARs, the HIDDEN COBRA actor(s) used encryption languages, such as XOR cipher and Rivest Cipher 4 (RC4), as well as fake transport layer security (TLS) headers in an attempt to obfuscate their network communications.

The MARs did not identify any actual or intended victims, but HIDDEN COBRA activity has historically been focused against the media, aerospace, and financial industries, as well as other critical infrastructure industries.³ The following advisories from the Infoblox Cyber Intelligence Unit provide additional information and context about past HIDDEN COBRA activity:

HIDDEN COBRA: BADCALL (Sep 2019)^[9]
HIDDEN COBRA: ELECTRICFISH (May 2019)^[10]
HIDDEN COBRA: HOPLIGHT (Apr 2019)^[11]
HIDDEN COBRA: FASTCash (Oct 2018)^[12]
HIDDEN COBRA: Keymarble (Aug 2018)^[13]
HIDDEN COBRA: Typeframe (June 2018)^[14]
HIDDEN COBRA: Brambul Worm & Joanap RAT (May 2018)^[15]
HIDDEN COBRA: Fallchill RAT & Volgmer Trojan (Nov 2017)^[16]

2. Analysis

All of the MARs except for the one on ARTFULPIE described functions of the RATs. The reports were consistent and included capabilities such as conducting system surveys, uploading and downloading files, executing processes and commands, and performing screen captures. Communication between the RAT and C2(s) were always encrypted with XOR cipher or RC4. The reporting agencies described ARTFULPIE as a downloader that loads a .dll extension file payload to the computer memory, but did not provide further details.

2.1. HOPLIGHT

According to the MAR, analysts found at least 20 malicious executable files pertaining to HOPLIGHT. Most of these files are proxy applications that serve to mask traffic between the malware and the remote operators. These proxies are capable of generating fake TLS handshake sessions using valid public secure sockets layer (SSL) certificates, which allow malicious actors to further disguise HOPLIGHT’s network connections with remote systems.

One of HOPLIGHT’s files contains a public SSL certificate along with a payload that appears to be encoded with a password or key. Another file does not contain any public SSL certificates, but attempts outbound connections and drops several files.

2.2. BISTROMATH

The BISTROMATH malware uses a graphical user interface (GUI) controller named CAgent<version_number> (e.g. Cyber Agent v11.0) to dynamically build and run RATs on the infected machine. The reporting agencies identified nine executables that were associated with BISTROMATH operations, and confirmed that five of them were RAT payloads and two were GUI controllers. When the controller builds the RAT, it dynamically defines the values for the following options:

Callback IP (C2 IP address)
Callback Port (Port number of the C2 IP address)
Beacon Interval (Wait time before re-attempting a connection to the C2)
Output Path (Write location for RAT payload)

The RAT profiles the infected device via system surveys and sends the below information to the C2 IP address, which is hardcoded into the RAT binary. Additionally, the RAT has other spying capabilities, such as monitoring the microphone, clipboard, and computer screen. When the malware sends data packets to the C2, it encodes data after the header via XOR cipher with the XOR key 0x07. In one instance, the agencies saw communications to the hard coded address 159[.]100[.]250[.]231 over port 8080 using TCP.

Language
Country
Victim_ID
Computer_Name
User_Name
Implant_Version = "11.0"
Victim_IP
System_Architecture
Drive_Letters
OS_Version

The attacker views and manages victim information through the CAgent11 GUI controller. The controller has functions for establishing a remote desktop viewer, performing network drive enumeration, uploading/downloading files, listing running processes and services, setting a reverse shell, capturing and recording computer microphone activity, running keyloggers, monitoring browser activity, collecting cached passwords, dynamic link library (DLL) loading and unloading, and updating download payload locations within the RAT binaries. It also has the option to uninstall the RAT from the infected machine.

2.3. SLICKSHOES

SLICKSHOES uses a dropper malware packed using the Themida software protection system. It decodes an embedded payload and drops the file at C:\Windows\Web\taskenc.exe. The dropper does not execute it however; nor does it create any auto-run keys or scheduled tasks that run it. The taskenc.exe file is a RAT-like tool that makes calls over port 80 every 60 seconds to a C2 IP address (188[.]165[.]37[.]168), which is hardcoded into the taskenc.exe binary. Data packets sent to the C2 are also encoded using a unique algorithm. SLICKSHOES comes with many features, including conducting system surveys, uploading and downloading files, executing processes and commands, and taking screen captures.

2.4. CROWDEDFLOUNDER

CROWDEDFLOUNDER consists of a 32-bit Windows dropper that the threat actor(s) packed using Themida software. When the executable is launched, it unpacks an embedded RAT binary and loads it into memory. The RAT can accept dynamic argument values during execution or it can be directly installed as a service with command line arguments.

When the RAT is executed, it modifies the Windows Firewall configuration on the victim’s machine using the "netsh firewall add portopening" command to allow inbound and outbound connections. The RAT can be enabled as a proxy that listens for incoming connections containing commands, or directly connects to its C2 to fetch them.

2.5. HOTCROISSANT

Similar to BISTROMATH, HOTCROISSANT also uses a RAT to profile the infected machine and make calls to its C2. The reporting agencies used static analysis to determine that HOTCROISSANT performs malicious functions, including conducting system surveys, uploading and downloading files, executing processes and commands, and performing screen captures. HOTCROISSANT encodes the data packets that it sends to the C2 using a custom XOR cipher algorithm.

2.6. ARTFULPIE

ARTFULPIE uses a downloader to fetch an executable from a hardcoded URL hXXp://193[.]56[.]28[.]103:88/xampp/thinkmeter[.]dll with the browser user-agent string "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)." It then loads .dll file contents into the infected computer's memory. The reporting agencies did not mention the identity of the downloaded payload in the MAR report.

2.7. BUFFETLINE

BUFFETLINE is a RAT that attempts to mask its usage of network functions using a customized RC4 encryption algorithm to obfuscate strings used for API lookups, as well as strings used during the network handshake. It uses API calls such as LoadLibrary() and GetProcessAddress() to load DLLs.

The RAT binary is hardcoded with a plain text C2 IP address, and initiates a connection to it by performing a PolarSSL handshake using TLS version 1.1. The RAT does not use the session key generated via the PolarSSL TLS in its following communications; instead, it sends packets containing a fake TLS header encrypted with a custom XOR cipher. The RAT then waits for commands from its C2 after sending victim information.

3. Prevention and Mitigation

The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following mitigation techniques to defend against attacks related to HIDDEN COBRA. CISA also stresses that it is crucial to review system configuration changes with system owners and administrators before implementing them because users may face unwanted impacts that can damage their business.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

4. Indicators of Compromise (IOCs)

Indicator	Description
112[.]175[.]92[.]57 113[.]114[.]117[.]122 117[.]239[.]241[.]2 119[.]18[.]230[.]253 128[.]200[.]115[.]228 137[.]139[.]135[.]151 14[.]140[.]116[.]172 181[.]39[.]135[.]126 186[.]169[.]2[.]237 195[.]158[.]234[.]60 197[.]211[.]212[.]59 21[.]252[.]107[.]198 210[.]137[.]6[.]37 217[.]117[.]4[.]110 218[.]255[.]24[.]226 221[.]138[.]17[.]152 26[.]165[.]218[.]44 47[.]206[.]4[.]145 70[.]224[.]36[.]194 81[.]94[.]192[.]10 81[.]94[.]192[.]147 84[.]49[.]242[.]125 97[.]90[.]44[.]200	HOPLIGHT C2 / Proxy
05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d 1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a 8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520 b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9 b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8 d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03 fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5	HOPLIGHT executable SHA256
44a93ea6e6796530bb3cf99555dfb3b1092ed8fb4336bb198ca15b2a21d32980 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 823d255d3dc8cbc402527072a9220e4c38655de1a3e55a465db28b55d3ac1bf8 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f	HOPLIGHT SHA256 for dropped files
133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c	BISTROMATH RAT SHA256
04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6	BISTROMATH CAgent Controller/Builder SHA256
fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442	BISTROMATH PE32 executable SHA256
fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac	SLICKSHOES dropper SHA256
188[.]165[.]37[.]168	SLICKSHOES C2
a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442	CROWDEDFLOUNDER dropper SHA256
8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085	HOTCROISSANT RAT SHA256
94[.]177[.]123[.]138:8080	HOTCROISSANT C2
606c6000f36dc69fefc6df828e1ac9c5529a71a62b99f5df55463606c4c9689c	ARTFULPIE downloader SHA256
hXXp[:]//193[.]56[.]28[.]103:88/xampp/thinkmeter[.]dll	ARTFULPIE payload download location
52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695	BUFFETLINE RAT SHA256
107[.]6[.]12[.]135:443 210[.]202[.]40[.]35:443	BUFFETLINE C2