Yesterday, the 3rd. On the occasion of the 50th anniversary of the notorious global WannaCry ransom epidemic, which North Korea blamed, the U.S. government released information about three new types of malware used by North Korean government hackers.
Malware variants named COPPERHEDGE, TAINTEDSCRIBE and PEBBLEDASH are capable of detecting and filtering confidential information from target systems remotely. This is the conclusion of a joint opinion of the CISA (Cyber Security and Infrastructure Protection Agency), the Federal Bureau of Investigation (FBI) and the Department of Defense (DoD).
The three new malware strains are the latest to be added to a long list of more than 20 malware samples, including BISTROMATH, SLICKSHOES, HOPLIGHT and ELECTRICFISH, which have been identified by security authorities as part of a series of North Korean government cyber-malware activities known as Hidden Cobra or better known as the Lazarus Group.
Trojan horses fully alive
COPPERHEDGE, the first of the three new options, is a fully functional Remote Access Tool (RAT) capable of executing random commands, system intelligence and data filtering. It is used by advanced threat actors to act against cryptographic purses and related organizations. Six different versions of COPERHEXEGA have been identified.
TAINTEDSCRIBE works as a backdoor implant, disguised as a Microsoft Narrator screen-reading utility for downloading malicious payloads from a Command and Control (C2) server, downloading and executing files, and even creating and terminating processes.
Finally, PEBBLEDASH, like TAINTEDSCRIBE, is another Trojan horse with functions for downloading, deleting and executing files, allowing access to the Windows user interface, creating and ending processes and listing target systems.
Significant Cyber-espionage threat
The 2017 WannaCry Ransom Infection, also known as Wanna Decryptor, used a Windows SMB operator called EternalBlue to allow an external hacker to steal unsecured Windows computers in exchange for Bitcoin payments up to $600. The attack has since been attributed to Hidden Cobra.
With the Lazarus group responsible for stealing more than $571 million in cryptographic money from online file-sharing networks, financially motivated attacks forced the U.S. Treasury Department to impose sanctions on the group and its two surprise recordings of Bluenoroff and Andariel in September last year.
At the beginning of March this year, the U.S. Department of Justice (DOJ) indicted two Chinese citizens acting on behalf of North Korean threat actors for laundering allegedly more than $100 million in stolen cryptographic money using Apple’s iTunes prepaid gift cards.
Last month, the U.S. government issued guidelines on the significant cyber threat posed by North Korean hackers to global banks and financial institutions and offered a cash reward of up to $5 million for information on DPRK’s past or current illegal activities in cyberspace.
DPRK’s malicious activities in the area of cyber terrorism pose a threat to the United States and the international community in general and, in particular, a significant threat to the integrity and stability of the international financial system, as warned in the report.
Under pressure from severe US and UN sanctions, the DPRK is increasingly relying on illegal activities – including cybercrime – to generate revenues from its weapons of mass destruction and ballistic missile programmes.