Crib Notes: Hidden Cobra – North Korea’s snake in the grass

Just like the infamous Cobra Kai Dojo from the 1984 classic, The Karate Kid, the APT group Hidden Cobra (aka Lazarus Group) doesn’t play fair. The group is a collective of cyber attackers associated with the North Korean Government who have been attacking organisations since 2009. 

When the group first emerged, they favoured DDOS attacks, particularly against targets in the US and South Korea. The group has evolved since those early days and is now suspected to be behind some of the world’s largest cyber-attacks – even being linked to last year’s devastating WannaCry outbreak. 

While its targets vary, the main industries in Hidden Cobra’s crosshairs are Media, Aerospace, Finance and Critical Infrastructure. 

Recently:

Earlier this month, two new malware variants were attributed to Hidden Cobra – HARDRAIN and BADCALL

These new strains enable attackers to install a remote access tool (RAT) payload on Android devices (via an APK file) and can force infected Windows devices to act as proxy servers. This is achieved by reconfiguring the Windows Firewall to accept incoming connections.

A far call from Hidden Cobra’s early DDOS days, both strains are incredibly sophisticated. For example, all command-and-control communications are disguised to appear as encrypted HTTPS sessions (which we’ll unpack further in our technical analysis below).

Technically:

Our researchers have collected a sample of the group’s BADCALL malware and conducted the below analysis. 

Hash (SHA 256): 4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc

File Size: 233472 bytes

As shown below, this sample is a DLL file compiled using Visual C++:



Figure 1 Compiler details


Looking at the file’s strings, we found it contains multiple legitimate domains. This list of domains, discovered in the malware’s String list, underscores how sophisticated BADCALL is. These are used to perform “Keep Alive” activities and keep C&C communications hidden. For example, rather than communicate with an obviously malicious domain, the malware can reach out to legit domains and check if the internet connectivity is working from the infected machine. This data can then be used to as part of the logs during later communication with the actual C&C server:

  

Figure 2 Legit domain in strings

Having discovered the domains, we next looked for import and export tables:

 

Figure 3 DLL Imports

All these import DLL calls are used for network-related functions and the export table suggests the sample is recognised as ‘Gateway_DLL.dll’:

 

Figure 4 Export table

Analysing the sample further, we discovered characteristics responsible for disabling firewall registry entries (as mentioned earlier):

  

Figure 5 Firewall policy registry entry modified

One particularly sophisticated function of this malware is its ability to use the SSL library to initiate fake TLS connections. In order to make these fake connections looks as legitimate as possible, the variant calls to netconf.dll, wbemhost.dll, and devcfg.dll in order to use SSL certificates and verify private keys. These actions are illustrated in further detail below:

 

Figure 6 calls to SSL certificate

Once each infection is successful, it then needs to be verified by the malware operator – this is achieved by using a value in the code:

 

Figure 7 Value to authenticate the malware

On the other side of the coin, the malware also authenticates the server responsible for handling proxy traffic:

 

Figure 8 Value for authenticating proxy traffic server  

Prevalence:  Hidden Cobra has targeted many high-profile institutions – both for service disruption and data theft.

Two of the most high profile victims linked to the North Korean group are Sony Pictures (which was hacked in 2014 apparently in retaliation for the film, The Interview, in which two US journalists are recruited by the CIA to assassinate the Dear Leader) and the Bangladesh Central Bank (which lost US$81 million in a 2016 attack in which fraudulent instructions to withdraw cash were issued via the SWIFT network).  

In other recent activity, the group was observed using a DDOS tool called ‘DeltaCharlie’ in June 2017 to target US organisations – US-CERT subsequently issued detailed advisory including IOCs and network signatures. 

Mitigation: Hidden Cobra is known to use vulnerabilities affecting various applications, so keeping all software updated to latest versions is (as always) recommended. Some of the vulnerabilities the group is known to exploit include:

•    CVE-2015-6585: Hangul Word Processor Vulnerability

•    CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability

•    CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability

•    CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability

•    CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability

Security professionals should use the various IOC released by researchers and government bodies to blacklist hashes and malicious domains associated with the group. 

In the event an alert gets triggered, it is recommended to unplug the machine from the network in order to contain the infection. Further, we advise using Yara rules to scan for the existence of malicious files in the host. 


On 2018-02-28

Privacy Statement | Terms of Use