Menu Close

Deadly ‘snake in the grass’ – Analysis of 3 Hidden Cobra malware variants issued by CISA

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Copperhedge, Taintedscribe & Pebbledash malware have been focused on by a recent analysis, with all 3 thought to be operated by the N. Korean ‘Hidden Cobra’ APT Group. All work as ‘persistent agents’ with malicious goals including stealing cryptocurrency & data exfiltration.

This analysis was produced in the US by CISA (The Cybersecurity & Infrastructure Security Agency), the US Department of Defence & the FBI.


The remote access tool (RAT) Copperhedge uses the Manuscript family of malware, which is a full-featured RAT, to target cryptocurrency exchanges & related entities.

Manuscrypt can run arbitrary commands, performing system reconnaissance & remove data. The US has described 6 distinct variants based on network & code features. The different models are categorised based on common code & a common class structure. A symbol remains in some of the implants identifying a class name of “WinHTTP_Protocol” & later “WebPacket”, the report mentioned.


Taintedscribe is described as a full-featured beaconing implant that uses FakeTLS for session authentication & a Linear Feedback Shift Register (LFSR) algorithm for network encryption. The primary malware camouflages itself as ‘Microsoft Narrator’ & works with a command & control server. When running, Taintedscribe has the capacity to download, upload, delete, & execute files; enable Windows CLI access; create & terminate processes; & perform target system enumeration.


The trojan Pebbledash is another – a full-featured ‘beaconing implant’ that produces the same type of data exfiltration as Taintedscribe. The primary difference between the 2 is Pebbledash uses RC4 for network encoding.


MARs are released by US government agencies fairly regularly to enable network defence & lower exposure to N. Korean government dangerous cyber activity. Each MAR includes malware descriptions, suggested response actions, & recommended mitigation techniques & CISA is asking any organisation that is targeted by any of these malware types to notify it asap.


More To Explore

Community Area


Home Workouts


spaghetti Bolognese