Hidden Cobra adds to its malware arsenal: CISA

The DHS Cybersecurity
and Infrastructure Security Agency (CISA) and the Federal Bureau of
Investigation have released a report on six new or upgraded malware variants
being used by North Korea.

Thread

The malware
types included are Bistromath, Slickshoes, Crowdedflounder, Hotcroissant,
Artfulpie, Buffetline and Hoplight. Hoplight is a previously recorded malware
believed to be used by the North Korean cyberespionage group Hidden Cobra. All the new
malware types are also used by Hidden Cobra, according to CISA.

Bistromath,
also used by Hidden Cobra, is basically a full-featured RAT implant executable
and multiple versions of the CAgent11 GUI implant controller/builder. It
performs simple XOR network encoding and can conducting system surveys, file
upload/download, process and command execution, can listen to audio microphone,
view the clipboard and the screen. The GUI controllers allow interaction with
the implant as well as the option to dynamically build new implants with
customized options.

Slickshoes is
a Themida-packed dropper that decodes and drops a file
“C:WindowsWebtaskenc.exe” which is a Themida-packed beaconing
implant. This beacon does not execute the dropped file nor does it schedule any
tasks to run the malware, instead it uses an indigenous network encoding
algorithm to conducting system surveys, file upload/download, process and
command execution and screen captures.

Crowdedflounder
is a Themida-packed 32-bit Windows executable that can unpack and execute a RAT
binary in memory. Other features include the ability to listen as a proxy for
incoming connections containing commands or can connect to a remote server to
receive commands.

Hotcroissant
is another full-featured beaconing implant that performs a custom XOR network
encoding and can conduct system surveys, upload and download files, process and
command execution and perform screen captures.

Artfulpie is
an implant that downloads data and handles in-memory loading and execution of a
DLL from a hardcoded URL.

Buffetline is
the third full featured implant listed. It uses PolarSSL for session
authentication, but switches to a FakeTLS scheme for network encoding using a
modified RC4 algorithm. The malware has the capability to download, upload,
delete, and execute files; enable Windows CLI access; create and terminate
processes; and perform target system enumeration.

The post Hidden Cobra adds to its malware arsenal: CISA appeared first on SC Media.

Original Source