Reply

HIDDEN COBRA Malware Updates

[ Edited ]
Adviser
Posts: 321
1541     0

Date: 14 February 2020

TLP:WHITE

Author:  Christopher Kim

1.     Executive Summary

On 14 February, the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) jointly published seven Malware Analysis Reports (MARs) regarding the following malware variants: HOPLIGHT,[1] BISTROMATH,[2] SLICKSHOES,[3] CROWDEDFLOUNDER,[4] HOTCROISSANT,[5] ARTFULPIE,[6] and BUFFETLINE.[7] The reporting agencies attributed these malware variants to the North Korean government, whose malicious cyber activities are commonly referred to as HIDDEN COBRA.[8]

 

All of the malware variants use a remote access trojan (RAT) to send victim information to a hardcoded command and control (C2) IP address. The RAT payload can either be fetched from a download URL, or directly written to a specific file location on the infected machine if it was embedded in a dropper. The RAT can be loaded into memory and can then initiate connections with its C2, or it can be installed as a proxy service that listens for inbound packets containing commands. According to the MARs, the HIDDEN COBRA actor(s) used encryption languages, such as XOR cipher and Rivest Cipher 4 (RC4), as well as fake transport layer security (TLS) headers in an attempt to obfuscate their network communications.

 

The MARs did not identify any actual or intended victims, but HIDDEN COBRA activity has historically been focused against the media, aerospace, and financial industries, as well as other critical infrastructure industries.3 The following advisories from the Infoblox Cyber Intelligence Unit provide additional information and context about past HIDDEN COBRA activity:

  • HIDDEN COBRA: BADCALL (Sep 2019)[9]
  • HIDDEN COBRA: ELECTRICFISH (May 2019)[10]
  • HIDDEN COBRA: HOPLIGHT (Apr 2019)[11]
  • HIDDEN COBRA: FASTCash (Oct 2018)[12]
  • HIDDEN COBRA: Keymarble (Aug 2018)[13]
  • HIDDEN COBRA: Typeframe (June 2018)[14]
  • HIDDEN COBRA: Brambul Worm & Joanap RAT (May 2018)[15]
  • HIDDEN COBRA: Fallchill RAT & Volgmer Trojan (Nov 2017)[16]

2.     Analysis

All of the MARs except for the one on ARTFULPIE described functions of the RATs. The reports were consistent and included capabilities such as conducting system surveys, uploading and downloading files, executing processes and commands, and performing screen captures. Communication between the RAT and C2(s) were always encrypted with XOR cipher or RC4. The reporting agencies described ARTFULPIE as a downloader that loads a .dll extension file payload to the computer memory, but did not provide further details.

 

          2.1.         HOPLIGHT

 

According to the MAR, analysts found at least 20 malicious executable files pertaining to HOPLIGHT. Most of these files are proxy applications that serve to mask traffic between the malware and the remote operators. These proxies are capable of generating fake TLS handshake sessions using valid public secure sockets layer (SSL) certificates, which allow malicious actors to further disguise HOPLIGHT’s network connections with remote systems.

 

One of HOPLIGHT’s files contains a public SSL certificate along with a payload that appears to be encoded with a password or key. Another file does not contain any public SSL certificates, but attempts outbound connections and drops several files.

 

          2.2.         BISTROMATH

 

The BISTROMATH malware uses a graphical user interface (GUI) controller named CAgent<version_number> (e.g. Cyber Agent v11.0) to dynamically build and run RATs on the infected machine. The reporting agencies identified nine executables that were associated with BISTROMATH operations, and confirmed that five of them were RAT payloads and two were GUI controllers. When the controller builds the RAT, it dynamically defines the values for the following options:

  • Callback IP (C2 IP address)
  • Callback Port (Port number of the C2 IP address)
  • Beacon Interval (Wait time before re-attempting a connection to the C2)
  • Output Path (Write location for RAT payload)

The RAT profiles the infected device via system surveys and sends the below information to the C2 IP address, which is hardcoded into the RAT binary. Additionally, the RAT has other spying capabilities, such as monitoring the microphone, clipboard, and computer screen. When the malware sends data packets to the C2, it encodes data after the header via XOR cipher with the XOR key 0x07. In one instance, the agencies saw communications to the hard coded address 159[.]100[.]250[.]231 over port 8080 using TCP.

  • Language
  • Country
  • Victim_ID
  • Computer_Name
  • User_Name
  • Implant_Version = "11.0"
  • Victim_IP
  • System_Architecture
  • Drive_Letters
  • OS_Version

The attacker views and manages victim information through the CAgent11 GUI controller. The controller has functions for establishing a remote desktop viewer, performing network drive enumeration, uploading/downloading files, listing running processes and services, setting a reverse shell, capturing and recording computer microphone activity, running keyloggers, monitoring browser activity, collecting cached passwords, dynamic link library (DLL) loading and unloading, and updating download payload locations within the RAT binaries. It also has the option to uninstall the RAT from the infected machine.

 

          2.3.         SLICKSHOES

 

SLICKSHOES uses a dropper malware packed using the Themida software protection system. It decodes an embedded payload and drops the file at C:\Windows\Web\taskenc.exe. The dropper does not execute it however; nor does it create any auto-run keys or scheduled tasks that run it. The taskenc.exe file is a RAT-like tool that makes calls over port 80 every 60 seconds to a C2 IP address (188[.]165[.]37[.]168), which is hardcoded into the taskenc.exe binary. Data packets sent to the C2 are also encoded using a unique algorithm. SLICKSHOES comes with many features, including conducting system surveys, uploading and downloading files, executing processes and commands, and taking screen captures.

 

          2.4.         CROWDEDFLOUNDER

 

CROWDEDFLOUNDER consists of a 32-bit Windows dropper that the threat actor(s) packed using Themida software. When the executable is launched, it unpacks an embedded RAT binary and loads it into memory. The RAT can accept dynamic argument values during execution or it can be directly installed as a service with command line arguments.

 

When the RAT is executed, it modifies the Windows Firewall configuration on the victim’s machine using the "netsh firewall add portopening" command to allow inbound and outbound connections. The RAT can be enabled as a proxy that listens for incoming connections containing commands, or directly connects to its C2 to fetch them.

 

          2.5.         HOTCROISSANT

 

Similar to BISTROMATH, HOTCROISSANT also uses a RAT to profile the infected machine and make calls to its C2. The reporting agencies used static analysis to determine that HOTCROISSANT performs malicious functions, including conducting system surveys, uploading and downloading files, executing processes and commands, and performing screen captures. HOTCROISSANT encodes the data packets that it sends to the C2 using a custom XOR cipher algorithm.

 

          2.6.         ARTFULPIE

ARTFULPIE uses a downloader to fetch an executable from a hardcoded URL hXXp://193[.]56[.]28[.]103:88/xampp/thinkmeter[.]dll with the browser user-agent string "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)." It then loads .dll file contents into the infected computer's memory. The reporting agencies did not mention the identity of the downloaded payload in the MAR report.

 

          2.7.         BUFFETLINE

 

BUFFETLINE is a RAT that attempts to mask its usage of network functions using a customized RC4 encryption algorithm to obfuscate strings used for API lookups, as well as strings used during the network handshake. It uses API calls such as LoadLibrary() and GetProcessAddress() to load DLLs.

 

The RAT binary is hardcoded with a plain text C2 IP address, and initiates a connection to it by performing a PolarSSL handshake using TLS version 1.1. The RAT does not use the session key generated via the PolarSSL TLS in its following communications; instead, it sends packets containing a fake TLS header encrypted with a custom XOR cipher. The RAT then waits for commands from its C2 after sending victim information.

3.   Prevention and Mitigation

The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following mitigation techniques to defend against attacks related to HIDDEN COBRA. CISA also stresses that it is crucial to review system configuration changes with system owners and administrators before implementing them because users may face unwanted impacts that can damage their business.

 

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

4.  Indicators of Compromise (IOCs)

Indicator

Description

112[.]175[.]92[.]57

113[.]114[.]117[.]122

117[.]239[.]241[.]2

119[.]18[.]230[.]253

128[.]200[.]115[.]228

137[.]139[.]135[.]151

14[.]140[.]116[.]172

181[.]39[.]135[.]126

186[.]169[.]2[.]237

195[.]158[.]234[.]60

197[.]211[.]212[.]59

21[.]252[.]107[.]198

210[.]137[.]6[.]37

217[.]117[.]4[.]110

218[.]255[.]24[.]226

221[.]138[.]17[.]152

26[.]165[.]218[.]44

47[.]206[.]4[.]145

70[.]224[.]36[.]194

81[.]94[.]192[.]10

81[.]94[.]192[.]147

84[.]49[.]242[.]125

97[.]90[.]44[.]200

HOPLIGHT C2 / Proxy

05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461

0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571

084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319

12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d

1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676

2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525

32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11

4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761

4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818

70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3

73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33

83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a

8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520

b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9

b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101

c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8

d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39

ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d

f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03

fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5

HOPLIGHT executable SHA256

44a93ea6e6796530bb3cf99555dfb3b1092ed8fb4336bb198ca15b2a21d32980

49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359

70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289

823d255d3dc8cbc402527072a9220e4c38655de1a3e55a465db28b55d3ac1bf8

96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09

cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f

HOPLIGHT SHA256 for dropped files

133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f

1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39

b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32

738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790

43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c

BISTROMATH RAT SHA256

04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30

618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6

BISTROMATH CAgent Controller/Builder SHA256

fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac

a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442

BISTROMATH PE32 executable SHA256

fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac

SLICKSHOES dropper SHA256

188[.]165[.]37[.]168

SLICKSHOES C2

a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442

CROWDEDFLOUNDER dropper SHA256

8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085

HOTCROISSANT RAT SHA256

94[.]177[.]123[.]138:8080

HOTCROISSANT C2

606c6000f36dc69fefc6df828e1ac9c5529a71a62b99f5df55463606c4c9689c

ARTFULPIE downloader SHA256

hXXp[:]//193[.]56[.]28[.]103:88/xampp/thinkmeter[.]dll

ARTFULPIE payload download location

52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695

BUFFETLINE RAT SHA256

107[.]6[.]12[.]135:443

210[.]202[.]40[.]35:443

BUFFETLINE C2

 

 

[1] https://www.us-cert.gov/ncas/analysis-reports/ar19-304a

[2] https://www.us-cert.gov/ncas/analysis-reports/ar20-045a

[3] https://www.us-cert.gov/ncas/analysis-reports/AR20-045B

[4] https://www.us-cert.gov/ncas/analysis-reports/AR20-045C

[5] https://www.us-cert.gov/ncas/analysis-reports/AR20-045D

[6] https://www.us-cert.gov/ncas/analysis-reports/AR20-045E

[7] https://www.us-cert.gov/ncas/analysis-reports/ar20-045f

[8] https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity

[9] https://sites.google.com/a/infoblox.com/cyberint-threat-labs/home/publication-repo/20190910_HIDDEN_C...

[10] https://sites.google.com/a/infoblox.com/cyberint-threat-labs/home/publication-repo/20190910_HIDDEN_C...

[11] https://sites.google.com/a/infoblox.com/cyberint-threat-labs/home/publication-repo/20191031_HIDDEN_C...

[12] https://sites.google.com/a/infoblox.com/cyberint-threat-labs/home/publication-repo/20181006_HIDDEN_C...

[13] https://sites.google.com/a/infoblox.com/cyberint-threat-labs/home/publication-repo/20180809_CTA_KEYM...

[14] https://sites.google.com/a/infoblox.com/cyberint-threat-labs/home/publication-repo/20180618_CTA_Type...

[15] https://sites.google.com/a/infoblox.com/cyberint-threat-labs/home/publication-repo/CTA-2018-001%20Br...

[16] https://sites.google.com/a/infoblox.com/cyberint-threat-labs/home/publication-repo/CTA-2017-004_Hidd...

Showing results for 
Search instead for 
Did you mean: 

Recommended for You