US-Cert released Alert TA17-164A HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure on June 13, 2017.

“This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. Government partners, DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders detect activity conducted by the North Korean government. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA.”

Click on the link to read the alert: https://www.us-cert.gov/ncas/alerts/TA17-164A

Topic

[sujeewa4csiacParticipant]

Hi, Is there any recent attacks using this?

[jmyedsParticipant]

Yes this is continuing, I know of at least one update since this post. November 14th there was a variant of this in another USCERT TA. The problem here is that this is a botnet. The owners of the Botnet are very savvy so closing it down is not easy.

“This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.”

https://www.us-cert.gov/ncas/alerts/TA17-318B HIDDEN COBRA – North Korean Trojan: Volgmer.

[tcostelloParticipant]

Question –
Any indication which types of corporations/industries are being targeted by NK in this Cobra/Trojan – volgmer attack?

From the CERT it looks as if the top IP addresses are in India, Pak, China, etc.
Any evidence they were also involved in the WannaCry and/or Sony hack?

[jmyedsParticipant]

@tcostello

The Wannacry source code is written with the key signatures of the North Korean known hacking group. That does not mean a great deal because source code can be stolen. However, to your point, the attacking location or IP addresses are most likely compromised machines. They can come from anywhere in the world.

https://www.engadget.com/2017/12/18/north-korea-wannacry/

[Author]

Replies