
Red Children of Censorship
North Korean state-sponsored cyber espionage groups. Focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 group expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.
Indicators of Compromise
Domains (213)
upload.mydrives.mlhelp.mappo-on.lifetorbrowser.iosztianhao.en.china.cntor-browser.ioeve.uedmei.comeventosatitlan.comhelper.canvas-life.mewww.eventosatitlan.compelebra.atwebpages.comhelp.octo-manage.netcsv.posadadesantiago.comarray.prototype.slice.callmyaccounts.posadadesantiago.comview-hanmail.netnid.naver.corper.becom-accountprotect.workmsdatl3.incresetprofile.comusernaver.com+193 moreHashes (5287)
f7ae9bdd03e5df038aad0e809dbf31a00ca5e3b6aec3960417e14d5da18fd3739e91b75553fb43947fab0646e1a96d8884deeb4ff76d55b25804f64f9ab09558e03455edcc817804aae7b40374397546a3bd4d0ef9c1d521d1ebb0808b93c4e5c8b0f229d38bab78f43cfb46258ada893331872ec994527dde6d28e0e8312f6de0e4183239c438d7f2819da99ca54a70b5fd6241e6f6ec4a9b3a6926ad4ebe4b76accbc49716d24a290721a6bd2dcc37d6b2e4edb5575afc7d8aad3e43a1ce65d616f0fdf18aaba23a0d9e6b56b75030778e312498e764b75d7ebde740b0e29e500f624318f7d4b43d24fdbe698fbe41fbb999e31c83842dbc11e510735a90b29e72f723655b2d8905c40d39278fcdfa341d7a3cfc0dcb6c3b0bb0b46a4bad7d5c2a00c132ea3f737ff78ac771bca39d9412d3147b30a873b94e2d0f495eafdea1479ee1cffc78e64ca2533de6c216b9420fde1e51884ac2b82e340a400466ed960020176e119ea0949cbdcde34953cf468f8fc5ca0f00051eb8654163bc238b4ee97826969017faa09e2a6ca8b0a09b8d127e94310e63db5fd9e02542be3e49ce6d5ff1924b8583fe2267e697a88b854d8ae81143d9c083ba95565e357a0472c0f4f701f73c8d5f961bb40e6e18fab506aefe0e1d1bdbb7bf61963075a4db61cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c1c6e66b81f055854cd2a8db9042e1dd0dc629613+5267 moreIPv4 (5145)
2.50.161.6196.221.77.89198.211.118.18747.108.63.51194.5.249.156216.201.162.1582.232.253.79193.248.154.17441.176.38.11424.122.0.9045.86.74.111194.5.97.17437.235.230.123198.71.50.125199.247.22.145203.198.96.22737.46.150.191219.76.148.249217.160.107.18931.57.48.136+5125 moreCVEs (1)
CVE-2017-0199Emails (2)
APT Groups
APT37
Korea, Democratic People's Republic of
Kimsuky
Notes
Primary mission is covert intelligence gathering in support of North Korea’s strategic military, political and economic interests. This is based on consistent targeting of South Korean public and private entities and social engineering. APT37’s recently expanded targeting scope also appears to have direct relevance to North Korea’s strategic interests.<div><br></div><div><h5>North Korean Malicious Cyber Activity</h5><div><br></div><div><table border="1" cellpadding="1" cellspacing="1" class="general-table" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; color: rgb(51, 51, 51); font-family: " font-size: 16px; width: 844.9px; height: 312px; margin-right: auto; margin-left: auto;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background-color: rgb(241, 241, 241);"><th style="box-sizing: border-box; padding: 0px; text-align: left;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><strong style="box-sizing: border-box;">Publication Date</strong></p></th><th style="box-sizing: border-box; padding: 0px; text-align: left; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><strong style="box-sizing: border-box;">Title</strong></p></th><th style="box-sizing: border-box; padding: 0px; text-align: left; width: 630px;"><strong style="box-sizing: border-box;">Description</strong></th></tr></thead><tbody style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">July 6, 2022</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-187a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Joint FBI-CISA-Treasury CSA: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;">The FBI, CISA, and the Department of the Treasury issued a joint Cybersecurity Advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.</p></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">April 18, 2022</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-108a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Joint FBI-CISA-Treasury CSA: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;">The FBI, CISA, and the Department of the Treasury issued a joint Cybersecurity Advisory highlighting the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat.</p><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;">This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. </p></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">February 17, 2021</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.gov/ncas/alerts/aa21-048a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Joint FBI-CISA-Treasury CSA: AppleJeus: Analysis of North Korea's Cryptocurrency Malware</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10322463-1.v1: AppleJeus – Celas Trade Pro</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10322463-2.v1: AppleJeus – JMT Trading</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10322463-3.v1: AppleJeus – Union Crypto</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10322463-4.v1: AppleJeus – Kupay Wallet</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10322463-5.v1: AppleJeus – CoinGoTrade</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10322463-6.v1: AppleJeus – Dorusio</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10322463-7.v1: AppleJeus – Ants2Whale</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">CISA, FBI, and the Department of the Treasury released a Joint Cybersecurity Advisory and seven MARs on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.”</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">October 27, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Joint CISA-CNMF-FBI CSA: North Korean Advanced Persistent Threat Focus: Kimsuky</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">CISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">August 26, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Joint CISA-Treasury-FBI-USCYBERCOM CSA: FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10301706-1.v1: North Korean Remote Access Tool: ECCENTRICBANDWAGON</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10301706-2.v1: North Korean Remote Access Tool: VIVACIOUSGIFT</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10257062-1.v2: North Korean Remote Access Tool: FASTCASH for Windows</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.”</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">August 19, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10295134.r1.v1: North Korean Remote Access Trojan: BLINDINGCAN</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">CISA and FBI have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors. FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">May 12, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/ar20-133a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 1028834-1.v1: North Korean Remote Access Tool: COPPERHEDGE</a></li><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/ar20-133b" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 1028834-2.v1: North Korean Trojan: TAINTEDSCRIBE</a></li><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/ar20-133c" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 1028834-3.v1: North Korean Trojan: PEBBLEDASH</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;">CISA, FBI, and DoD identified three malware variants used by the North Korean government. </p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">COPPERHEDGE is Manuscrypt family of malware is used by APT cyber actors in the targeting of cryptocurrency exchanges and related entities.</li><li style="box-sizing: border-box;">TAINTEDSCRIBE and PEBBLEDASH are full-featured beaconing implants.</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">May 12, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-133a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">U.S. Government Advisory: Top 10 Routinely Exploited Vulnerabilities</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">CISA, FBI, and the broader U.S. Government authored a Joint Alert with details on vulnerabilities routinely exploited by foreign cyber actors, including North Korean cyber actors.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">April 15, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/alerts/aa20-106a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">U.S. Government Advisory: Guidance on the North Korean Cyber Threat</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">The U.S. Departments of State, Treasury, and Homeland Security and FBI issued this Advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The Advisory highlights the cyber threat posed by North Korea and provides recommended steps to mitigate the threat.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">February 14, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/ar20-045a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10265965-1.v1: North Korean Trojan: BISTROMATH</a></li><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR20-045B" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10265965-2.v1: North Korean Trojan: SLICKSHOES</a></li><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR20-045C" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10265965-3.v1: North Korean Trojan: CROWDEDFLOUNDER</a></li><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR20-045D" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10271944-1.v1: North Korean Trojan: HOTCROISSANT</a></li><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR20-045E" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10271944-2.v1: North Korean Trojan: ARTFULPIE</a></li><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/ar20-045f" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10271944-3.v1: North Korean Trojan: BUFFETLINE</a></li><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/ar20-045g" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10135536-8.v4: North Korean Trojan: HOPLIGHT </a><em style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Note: </strong>this version of HOPLIGHT MAR updates the <a href="https://www.us-cert.gov/ncas/analysis-reports/ar19-304a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">October 31, 2019 version</a>, which updated <a href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">April 10, 2019 version.</a></em></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;">CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">BISTROMATH looks at multiple versions of a full-featured Remote Access Trojan implant executable and multiple versions of the CAgent11 GUI implant controller/builder.</li><li style="box-sizing: border-box;">SLICKSHOES is a Themida-packed dropper that decodes and drops a Themida-packed beaconing implant.</li><li style="box-sizing: border-box;">CROWDEDFLOUNDER looks at Themida packed Windows executable.</li><li style="box-sizing: border-box;">HOTCROSSIANT is a full-featured beaconing implant.</li><li style="box-sizing: border-box;">ARTFULPIE is an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL.</li><li style="box-sizing: border-box;">BUFFETLINE is a full-featured beaconing implant.</li><li style="box-sizing: border-box;">HOPLIGHT looks at multiple malicious executable files. Some of which are proxy applications that mask traffic between the malware and the remote operators.</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">September 9, 2019</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/ar19-252b" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10135536-21: North Korean Proxy Malware: ELECTRICFISH</a> <em style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Note: </strong>this version of the ELECTRICFISH MAR updates the </em><a href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR19-129A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">May 9, 2019 version.</a></li><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/analysis-reports/ar19-252a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10135536-10: North Korean Trojan: BADCALL </a><em style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Note: </strong>this version of the BADCALL MAR updates the</em> <a href="https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10135536-G.PDF" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">February 6, 2018 version:</a> and <a href="https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10135536-G_WHITE_stix.xml" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">STIX file.</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;">CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">ELECTRICFISH implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address.</li><li style="box-sizing: border-box;">BADCALL malware is an executable that functions as a proxy server and implements a "Fake TLS" method.</li></ul><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"> </p></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">October 2, 2018</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/TA18-275A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA Alert TA18-275A - HIDDEN COBRA FASTCash Campaign</a></li><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-275A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10201537: HIDDEN COBRA FASTCash-Related Malware</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">CISA, Treasury, FBI, and U.S. Cyber Command identified malware and other IOCs used by the North Korean government in an ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.” The Joint Technical Alert provides information on FASTCash and the MAR provides information on 10 malware samples related to this activity.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">August 9, 2018</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-221A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10135536-17: North Korean Trojan: KEYMARBLE</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">DHS and FBI identified a Trojan malware variant—referred to as KEYMARBLE—used by the North Korean government. KEYMARBLE is a RAT capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">June 14, 2018</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-165A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10135536-12: North Korean Trojan: TYPEFRAME</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">DHS and FBI identified a Trojan malware variant—referred to as TYPEFRAME—used by the North Korean government. DHS and FBI distributed this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This malware report contains an analysis of multiple malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications macros.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">May 29, 2018</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/TA18-149A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA Alert TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm</a></li><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-149A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10135536-3: HIDDEN COBRA RAT/Worm</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;">This Joint Technical Alert and MAR authored by DHS and FBI provides information, including IOCs associated with two families of malware used by the North Korean government:</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">A remote access tool, commonly known as Joanap; and Server Message Block worm, commonly known as Brambul.</li></ul><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"> </p></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">March 28, 2018</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10135536.11: North Korean Trojan: SHARPKNOT</a><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10135536.11.WHITE.stix.xml" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">STIX file for MAR 10135536.11</a></li></ul></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">DHS and FBI identified a Trojan malware variant—referred to as SHARPKNOT—used by the North Korean government. SHARPKNOT is a 32-bit Windows executable file. When executed from the command line, the malware overwrites the Master Boot Record and deletes files on the local system, any mapped network shares, and physically connected storage devices.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">February 13, 2018</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10135536-F.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10135536-F: North Korean Trojan: HARDRAIN</a><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10135536-F_WHITE_stix.xml" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">STIX file for MAR 10135536-F</a></li></ul></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">DHS and FBI identified a Trojan malware variant—referred to as HARDRAIN—used by the North Korean government.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">December 21, 2017</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10135536: North Korean Trojan: BANKSHOT</a><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10135536-B_WHITE_stix.xml" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">STIX file for MAR 10135536</a></li></ul></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;">DHS and FBI identified a Trojan malware variant—referred to as BANKSHOT—used by the North Korean government. This MAR analyzes three malicious executable files.</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">Two files are 32-bit Windows executables that function as Proxy servers and implement a "Fake TLS" method.</li><li style="box-sizing: border-box;">The third file is an Executable Linkable Format file designed to run on Android platforms as a fully functioning Remote Access Trojan.</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">November 14, 2017</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/TA17-318A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL</a></li><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/TA17-318B" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA Alert TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">August 23, 2017</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10132963.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR 10132963: Analysis of DeltaCharlie Attack Malware</a><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10132963_stix_0.xml" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">STIX file for MAR 10132963</a></li></ul></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS)<span style="box-sizing: border-box; font-size: 12pt; line-height: 18.4px; font-family: ""> </span>botnet infrastructure (refer to <a href="https://www.cisa.gov/uscert/ncas/alerts/TA17-164A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">TA17-164A</a>). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">June 13, 2017</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/TA17-164A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA Alert TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">This Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure.</td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">May 12, 2017</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/TA17-132A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA Alert TA17-132A: Indicators Associated With WannaCry Ransomware</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;">This DHS-FBI Joint Technical Alert provides information, including IOCs on the ransomware variant known as WannaCry. The U.S. Government publicly attributed this WannaCry ransomware variant to the North Korean government.<br><br></td></tr></tbody></table></div></div>
Mitigation
<p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: "">North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property, and gain financial assets. The U.S. government recommends implementing mitigations to protect critical infrastructure organizations.</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px; color: rgb(51, 51, 51); font-family: ""><li style="box-sizing: border-box;">Apply defense-in-depth security strategy. Apply security principles—such as least access models and defense-in-depth—to user and application privileges to help prevent exploitation attempts from being successful. Use network segmentation to separate networks into zones based on roles and requirements. Separate network zones can help prevent lateral movement throughout the organization and limit the attack surface. See NSA’s <a href="https://media.defense.gov/2019/Jul/16/2002158046/-1/-1/0/CSI-NSAS-TOP10-CYBERSECURITY-MITIGATION-STRATEGIES.PDF" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Top Ten Cybersecurity Mitigation Strategies</a> for strategies enterprise organizations should use to build a defense-in-depth security posture. <br><br></li><li style="box-sizing: border-box;">Implement patch management. Initial and follow-on exploitation involves leveraging common vulnerabilities and exposures (CVEs) to gain access to a networked environment. Organizations should have a timely vulnerability and patch management program in place to mitigate exposure to critical CVEs. Prioritize patching of internet-facing devices and monitored accordingly for any malicious logic attacks. <br><br></li><li style="box-sizing: border-box;">Enforce credential requirements and multifactor authentication. North Korean malicious cyber actors continuously target user credentials, email, social media, and private business accounts. Organizations should ensure users change passwords regularly to reduce the impact of password spraying and other brute force techniques. The U.S. government recommends organizations implement and enforce multifactor authentication (MFA) to reduce the risk of credential theft. Be aware of <a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MFA interception techniques for some MFA implementations</a> and monitor for anomalous logins.<br><br></li><li style="box-sizing: border-box;">Educate users on social engineering on social media and spearphishing. North Korean actors rely heavily on social engineering, leveraging email and social media platforms to build trust and send malicious documents to unsuspecting users. A cybersecurity aware workforce is one of the best defenses against social engineering techniques like phishing. User training should include how to identify social engineering techniques and awareness to only open links and attachments from trusted senders.<br><br></li><li style="box-sizing: border-box;">Implement email and domain mitigations. Maintain awareness of themed emails surrounding current events. Malicious cyber actors use current events as lure for potential victims as observed during the COVID-19 pandemic. Organizations should have a robust domain security solution that includes leveraging reputation checks and closely monitoring or blocking newly registered domains (NRDs) in enterprise traffic. NRDs are commonly established by threat actors prior to malicious engagement.<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;">HTML and email scanning. Organizations should disable HTML from being used in emails and scan email attachments. Embedded scripts may be hard for an antivirus product to detect if they are fragmented. An additional malware scanning interface product can be integrated to combine potentially malicious payloads and send the payload to the primary antivirus product. Hyperlinks in emails should also be scanned and opened with precautionary measures to reduce the likelihood of a user clicking on a malicious link.<br><br></li></ul></li><li style="box-sizing: border-box;">Endpoint protection. Although network security is critical, devices mobility often means traveling and connecting to multiple different networks that offer varying levels of security. To reduce the risk of introducing exposed hosts to critical networks, organizations should ensure mobile devices have installed security suites to detect and mitigate malware. <br><br></li><li style="box-sizing: border-box;">Enforce application security. Application allowlisting enables the organization to monitor programs and only allow those on the approved allowlist to execute. Allowlisting helps to stop the initial attack, even if the user clicks a malicious link or opens a malicious attachment. Implement baseline rule sets, such as NSA’s <a href="https://media.defense.gov/2020/Aug/04/2002469874/-1/-/0/CSI_LIMITING_LOCATION_DATA_EXPOSURE_FINAL.PDF" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Limiting Location Data Exposure</a> guidance, to block execution of unauthorized or malicious programs.<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;">Disable macros in office products. Macros are a common method for executing code through an attached office document. Some office products allow for the disabling of macros that originate from outside of the organization, providing a hybrid approach when the organization depends on the legitimate use of macros.<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;">Windows specific settings can be configured to block internet-originated macros from running. This can be done in the Group Policy Administrative Templates for each of the associated Office products (specifically Word, Excel and PowerPoint). Other productivity software, such as LibreOffice and OpenOffice, can be configured to set the Macro Security Level.<br><br></li></ul></li></ul></li><li style="box-sizing: border-box;">Be aware of third-party downloads—especially cryptocurrency applications. North Korean actors have been increasingly active with currency generation operations. Users should always verify file downloads and ensure the source is from a reputable or primary (preferred) source and not from a third-party vendor. Malicious cyber actors have continuously demonstrated the ability to trojanize applications and gain a foothold on host devices.<br><br></li><li style="box-sizing: border-box;">Create an incident response plan to respond to possible cyber intrusions</li></ul>