{"id":2961,"date":"2024-09-25T20:40:07","date_gmt":"2024-09-25T20:40:07","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2961"},"modified":"2025-07-29T06:48:23","modified_gmt":"2025-07-29T06:48:23","slug":"crib-notes-hidden-cobra-north-koreas-snake-in-the-grass","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/crib-notes-hidden-cobra-north-koreas-snake-in-the-grass\/","title":{"rendered":"Crib Notes: Hidden Cobra \u2013 North Korea\u2019s snake in the grass"},"content":{"rendered":"
\n
\"Indiancobra\"<\/figure>\n<\/div>\n\n\n

Just like the infamous Cobra Kai Dojo from the 1984 classic, The Karate Kid, the APT group Hidden Cobra (aka Lazarus Group) doesn\u2019t play fair. The group is a collective of cyber attackers associated with the North Korean Government who have been attacking organisations since 2009.\u00a0

When the group first emerged, they favoured DDOS attacks, particularly against targets in the US and South Korea. The group has evolved since those early days and is now suspected to be behind some of the world\u2019s largest cyber-attacks \u2013 even being linked to last year\u2019s devastating WannaCry<\/a> outbreak.\u00a0

While its targets vary, the main industries in Hidden Cobra\u2019s crosshairs are Media, Aerospace, Finance and Critical Infrastructure.\u00a0

Recently:<\/strong>

Earlier this month, two new malware variants were attributed to Hidden Cobra \u2013 HARDRAIN and BADCALL<\/a>.\u00a0

These new strains enable attackers to install a remote access tool (RAT) payload on Android devices (via an APK file) and can force infected Windows devices to act as proxy servers. This is achieved by reconfiguring the Windows Firewall to accept incoming connections.

A far call from Hidden Cobra\u2019s early DDOS days, both strains are incredibly sophisticated. For example, all command-and-control communications are disguised to appear as encrypted HTTPS sessions (which we\u2019ll unpack further in our technical analysis below).

Technically:<\/strong>

Our researchers have collected a sample of the group\u2019s BADCALL malware and conducted the below analysis.\u00a0

Hash<\/strong> (SHA 256): 4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc

File Size<\/strong>: 233472 bytes

As shown below, this sample is a DLL file compiled using Visual C++:

Figure 1 Compiler details<\/em>

Looking at the file\u2019s strings, we found it contains multiple legitimate domains. This list of domains, discovered in the malware\u2019s String list, underscores how sophisticated BADCALL is. These are used to perform \u201cKeep Alive\u201d activities and keep C&C communications hidden. For example, rather than communicate with an obviously malicious domain, the malware can reach out to legit domains and check if the internet connectivity is working from the infected machine. This data can then be used to as part of the logs during later communication with the actual C&C server:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2 Legit domain in strings<\/em>

Having discovered the domains, we next looked for import and export tables:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3 DLL Imports<\/em>

All these import DLL calls are used for network-related functions and the export table suggests the sample is recognised as \u2018Gateway_DLL.dll\u2019:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Figure 4 Export table<\/em>

Analysing the sample further, we discovered characteristics responsible for disabling firewall registry entries (as mentioned earlier):\u00a0\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Figure 5 Firewall policy registry entry modified<\/em>

One particularly sophisticated function of this malware is its ability to use the SSL library to initiate fake TLS connections. In order to make these fake connections looks as legitimate as possible, the variant calls to netconf.dll, wbemhost.dll, and devcfg.dll in order to use SSL certificates and verify private keys. These actions are illustrated in further detail below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 6 calls to SSL certificate<\/em>

Once each infection is successful, it then needs to be verified by the malware operator \u2013 this is achieved by using a value in the code:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 7 Value to authenticate the malware<\/em>

On the other side of the coin, the malware also authenticates the server responsible for handling proxy traffic:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 8 Value for authenticating proxy traffic server<\/em> \u00a0

Prevalence<\/strong>: \u00a0Hidden Cobra has targeted many high-profile institutions \u2013 both for service disruption and data theft.

Two of the most high profile victims linked to the North Korean group are Sony Pictures<\/a> (which was hacked in 2014 apparently in retaliation for the film, The Interview, in which two US journalists are recruited by the CIA to assassinate the Dear Leader) and the Bangladesh Central Bank<\/a> (which lost US$81 million in a 2016 attack in which fraudulent instructions to withdraw cash were issued via the SWIFT network). \u00a0

In other recent activity, the group was observed using a DDOS tool called \u2018DeltaCharlie<\/a>\u2019 in June 2017 to target US organisations \u2013 US-CERT subsequently issued detailed advisory including IOCs and network signatures.\u00a0

Mitigation<\/strong>: Hidden Cobra is known to use vulnerabilities affecting various applications, so keeping all software updated to latest versions is (as always) recommended. Some of the vulnerabilities the group is known to exploit include:

\u2022\u00a0\u00a0 \u00a0CVE-2015-6585: Hangul Word Processor Vulnerability

\u2022\u00a0\u00a0 \u00a0CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability

\u2022\u00a0\u00a0 \u00a0CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability

\u2022\u00a0\u00a0 \u00a0CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability

\u2022\u00a0\u00a0 \u00a0CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability

Security professionals should use the various IOC released by researchers and government bodies to blacklist hashes and malicious domains associated with the group.\u00a0

In the event an alert gets triggered, it is recommended to unplug the machine from the network in order to contain the infection. Further, we advise using Yara rules to scan for the existence of malicious files in the host.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

Just like the infamous Cobra Kai Dojo from the 1984 classic, The Karate Kid, the APT group Hidden Cobra (aka Lazarus Group) doesn’t play fair. The group is a collective of cyber attackers associated with the North Korean Government who have been attacking organisations since 2009.  When the group first emerged, they favoured DDOS attacks, […]<\/p>\n","protected":false},"author":1,"featured_media":2963,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2961","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2961"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2961\/revisions"}],"predecessor-version":[{"id":4346,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2961\/revisions\/4346"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2963"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}