Menu Close

Deadly ‘snake in the grass’ – Analysis of 3 Hidden Cobra malware variants issued by CISA

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Copperhedge, Taintedscribe & Pebbledash malware have been focused on by a recent analysis, with all 3 thought to be operated by the N. Korean ‘Hidden Cobra’ APT Group. All work as ‘persistent agents’ with malicious goals including stealing cryptocurrency & data exfiltration.

This analysis was produced in the US by CISA (The Cybersecurity & Infrastructure Security Agency), the US Department of Defence & the FBI.

Copperhedge

The remote access tool (RAT) Copperhedge uses the Manuscript family of malware, which is a full-featured RAT, to target cryptocurrency exchanges & related entities.

Manuscrypt can run arbitrary commands, performing system reconnaissance & remove data. The US has described 6 distinct variants based on network & code features. The different models are categorised based on common code & a common class structure. A symbol remains in some of the implants identifying a class name of “WinHTTP_Protocol” & later “WebPacket”, the report mentioned.

Taintedscribe

Taintedscribe is described as a full-featured beaconing implant that uses FakeTLS for session authentication & a Linear Feedback Shift Register (LFSR) algorithm for network encryption. The primary malware camouflages itself as ‘Microsoft Narrator’ & works with a command & control server. When running, Taintedscribe has the capacity to download, upload, delete, & execute files; enable Windows CLI access; create & terminate processes; & perform target system enumeration.

Pebbledash

The trojan Pebbledash is another – a full-featured ‘beaconing implant’ that produces the same type of data exfiltration as Taintedscribe. The primary difference between the 2 is Pebbledash uses RC4 for network encoding.

MARs

MARs are released by US government agencies fairly regularly to enable network defence & lower exposure to N. Korean government dangerous cyber activity. Each MAR includes malware descriptions, suggested response actions, & recommended mitigation techniques & CISA is asking any organisation that is targeted by any of these malware types to notify it asap.

 

More To Explore

Community Area

Books

Home Workouts

Recipe

spaghetti Bolognese
Days
Hours
Minutes
Seconds