The Cybersecurity and Infrastructure Security Agency (CISA) and two other federal agencies issued malware analysis reports (MAR) for three North Korean-government operated APTs and trojans.
The malware analyzed by CISA, the Department of Defense and the FBI are code-named Copperhedge, Taintedscribe and Pebbledash, all three of which are believed to be operated by the North Korean operated Hidden Cobra APT group. All act as persistent agents with malicious goals that include stealing cryptocurrency and data exfiltration.
The remote access tool (RAT) Copperhedge uses the Manuscript family of malware, which is a full-featured RAT, to target cryptocurrency exchanges and related entities.
Manuscrypt is capable of running arbitrary commands, performing system reconnaissance and remove data. The U.S. has described six distinct variants based on network and code features. The different models are categorized based on common code and a common class structure. A symbol remains in some of the implants identifying a class name of "WinHTTP_Protocol" and later "WebPacket", the report said.
CISA has listed the IOCs for Copperhedge here.
Taintedscribe is a full-featured beaconing implant that uses FakeTLS for session authentication and a Linear Feedback Shift Register (LFSR) algorithm for network encryption. The primary malware camoflauges itself as Microsoft Narrator and works in conjunction with a command and control server. Once operating Taintedscribe has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
Its IOCs can be found here.
The trojan Pebbledash is another a full-featured beaconing implant that conducts the same type of data exfiltration as Taintedscribe. The primary difference between the two is Pebbledash uses RC4 for network encoding.
Its IOCs can be found here.
MARs are released by government agencies on a regular basis in an attempt to keep enable network defense and reduce exposure to North Korean government malicious cyber activity. Each MAR includes malware descriptions, suggested response actions, and recommended mitigation techniques and CISA is asking any organization that is victimized by any of these malware types to notify it as soon as possible.