Copperhedge, Taintedscribe & Pebbledash malware have been focused on by a recent analysis, with all 3 thought to be operated by the N. Korean ‘Hidden Cobra’ APT Group. All work as ‘persistent agents’ with malicious goals including stealing cryptocurrency & data exfiltration.
This analysis was produced in the US by CISA (The Cybersecurity & Infrastructure Security Agency), the US Department of Defence & the FBI.
The remote access tool (RAT) Copperhedge uses the Manuscript family of malware, which is a full-featured RAT, to target cryptocurrency exchanges & related entities.
Manuscrypt can run arbitrary commands, performing system reconnaissance & remove data. The US has described 6 distinct variants based on network & code features. The different models are categorised based on common code & a common class structure. A symbol remains in some of the implants identifying a class name of “WinHTTP_Protocol” & later “WebPacket”, the report mentioned.
Taintedscribe is described as a full-featured beaconing implant that uses FakeTLS for session authentication & a Linear Feedback Shift Register (LFSR) algorithm for network encryption. The primary malware camouflages itself as ‘Microsoft Narrator’ & works with a command & control server. When running, Taintedscribe has the capacity to download, upload, delete, & execute files; enable Windows CLI access; create & terminate processes; & perform target system enumeration.
The trojan Pebbledash is another – a full-featured ‘beaconing implant’ that produces the same type of data exfiltration as Taintedscribe. The primary difference between the 2 is Pebbledash uses RC4 for network encoding.
MARs are released by US government agencies fairly regularly to enable network defence & lower exposure to N. Korean government dangerous cyber activity. Each MAR includes malware descriptions, suggested response actions, & recommended mitigation techniques & CISA is asking any organisation that is targeted by any of these malware types to notify it asap.