North Korea (specifically the Lazarus group) has a long and storied history of destructive cyber-attacks. Some more notable examples are the 2013 “Dark Seoul” attacks, the 2014 attack on Sony Pictures, a series of SWIFT-targeted campaigns in 2015-2016, and more recently their foray into commercial cybercrime operations with Trickbot and Anchor.
The US-CERT recently released a new set of MARs (Malware Analysis Reports) covering newly uncovered/updated malware/implants attributed to North Korea. More specifically, these are tools attributed to the Lazarus Group / Hidden Cobra. These updates provide a sizeable glimpse into the ever expanding DPRK toolset. As we have seen in the past, the complexity and sophistication of these tools varies widely. Most of the families covered in this update are meant to function as RATs or Cobalt-Strike-like (beacon) tools meant to enable persistence and manipulation of infected hosts.
BISTROMATH
Full Featured RAT (Remote Access Trojan) payloads and associated CAgent11 implant builder/controller. This implant is used for standard system management, control and recon. Initial infection is carried out via a malicious executable. An embedded bitmap image (contained in the trojan) is decoded into shellcode upon execution, thus loading the implant. Network communications are encrypted via XOR. The analyzed BISTROMATH samples, along with the other families all attempt to evade analysis via common sandboxes (VIRTUALBOX, QEMU, VMware) via multiple artifact checks (presence of specific devices, registry entries, processes, files).
Core functionality includes:
· File and Process manipulation
· File/Data upload/exfiltration
· Timestamp modification/masquerading
· Service start/stop
· CMD shell access / use
· Screenshot Capture
· Microphone Capture
· Webcam Control
· Keylogging
· Browser hijacking/form grabbing
· Exfiltration of cached credentials
· Self-management (update/uninstall)
HOPLIGHT
Proxy payload to obfuscate and/or re-route traffic between infected hosts and C2. Traffic is encrypted over SSL, and the individual payloads are capable of generating fake SSL Certificates. Analyzed samples are Themida packed. One of the examples (SHA256: d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39) provided by CISA contained a public SSL certificate and encrypted payload.
SLICKSHOES
SLICKSHOES is typically utilized as a loader/Dropper. The malware writes itself to “C:WindowsWebtaskenc.exe”. Separate processes are responsible for the manipulation and execution of the dropped executable. SLICKSHOES is a full beacon-style implant (similar to Cobalt Strike).
Makes use of bespoke encoding methods and is capable of RAT-like functionality.
· File and Process manipulation
· System recon and exfiltration
· Input capture
· Command/process execution and manipulation
SLICKSHOES communicates to a hardcoded C2 address (188[.]165[.]37[.]168) on TCP port 80. Communication occurs in 60-second intervals.
CROWDEDFLOUNDER
CROWDEDFLOUNDER functions as a memory-resident RAT (32-bit and Themida packed). The malware accepts arguments at runtime, and can be installed as a service.
CROWDEDFLOUNDER implants can perform full two-way comms with C2, however in context the primary function appears to be a proxy for inbound connections from the C2. Upon execution the malware will manipulate local firewall settings to allow for flow of its traffic. C2 traffic and data transfers are encrypted via rotating XOR.
Functionality includes:
· File and Process manipulation
· System recon and exfiltration
· Input capture
· Command/process execution and manipulation
HOTCROISSANT
HOTCROISSANT is a full beacon-style (Cobalt Strike style) implant with RAT-like functionality. Network traffic is encoded via XOR. C2 communications are limited to a hard-coded IP (94.177.123.138:8088). Upon infection, victim information is transferred to the C2. After this point, the malware listens and responds to commands from the C2.
ARTFULPIE
ARTFULPIE is responsible for retrieval and injection of a DLL-based payload. The malware contains a hard-coded URL from which to download the additional code (193[.]56[.]28[.]103).
BUFFETLINE
BUFFETLINE is a full, beacon-style, implant with RAT-like functionality.
Features include:
· File and Process manipulation
· System recon and exfiltration
· CLI status manipulation
· Lateral targeting & enumeration
· Command/process execution and manipulation
Analyzed samples utilize a combination of RC4 encoding and PolarSSL (auth) to obfuscate network communications. Once authenticated to the C2, the trojan will send a collection of victim information and then await further interaction.
Data transferred includes:
· Victim “ID”
· Implant Version
· System directory location
· Hardware details (network adapters, CPU revision)
· OS Version / Software environment data
· Computer Name
· Victim IP Address
Conclusion
Adversarial toolsets are constantly evolving. The upper tier of sophisticated, or state-backed threats, have rapid and agile development/release cycles, mirroring the world of legitimate software development. Staying on top of these trends is a critical piece of protecting our environments against these threats. A power and modern security platform (ex: SentinelOne Singularity) is required to tackle these evolving threats from both static and behavioral angles.
IOCs
HOPLIGHT SHA-256: 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 SHA-256: 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 SHA-256: 084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319 SHA-256: 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d SHA-256: 1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676 SHA-256: 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 SHA-256: 32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11 SHA-256: 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 SHA-256: 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 SHA-256: 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 SHA-256: 73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33 SHA-256: 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a SHA-256: 8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520 SHA-256: b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9 SHA-256: b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 SHA-256: c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8 SHA-256: d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 SHA-256: ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d SHA-256: f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03 SHA-256: fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5 112[.]175[.]92.57 113[.]114[.]117.122 117[.]239[.]241.2 119[.]18[.]230.253 128[.]200[.]115.228 137[.]139[.]135.151 14[.]140[.]116.172 181[.]39[.]135.126 186[.]169[.]2.237 195[.]158[.]234.60 197[.]211[.]212.59 21[.]252[.]107.198 210[.]137[.]6.37 217[.]117[.]4.110 218[.]255[.]24.226 221[.]138[.]17.152 26[.]165[.]218.44 47[.]206[.]4.145 70[.]224[.]36.194 81[.]94[.]192.10 81[.]94[.]192.147 84[.]49[.]242.125 97[.]90[.]44.200
ARTFULPIE SHA-256: 606c6000f36dc69fefc6df828e1ac9c5529a71a62b99f5df55463606c4c9689c 193[.]56[.]28.103
HOTCROISSANT SHA-256: 8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085 94[.]177[.]123.138
CROWDEDFLOUNDER SHA-256: a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442
SLICKSHOES SHA-256: fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac 188[.]165[.]37.168
BISTROMATH SHA-256: 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 SHA-256: 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 SHA-256: 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 SHA-256: 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 159[.]100[.]250.231
BUFFETLINE SHA-256: 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 107[.]6[.]12.135 210[.]202[.]40.35
MITRE ATT&CK
Lazarus Group – G0032
Commonly Used Port – T1043
Connection Proxy – T1090
Credential Dumping – T1003
Custom Cryptographic Protocol – T1024
Data Encoding – T1132
Data from Local System – T1005
Data Staged – T1074
Exfiltration Over Alternative Protocol – T1048
Exfiltration Over Command and Control Channel – T1041
File and Directory Discovery – T1083
Input Capture – T1056
New Service – T1050
Obfuscated Files or Information – T1027
Process Discovery – T1057
Process Injection – T1055
Query Registry – T1012
Registry Run Keys / Startup Folder – T1060
Remote File Copy – T1105
Scripting – T1064
Spearphishing Attachment – T1193
System Information Discovery – T1082
System Network Configuration Discovery – T1016
System Owner/User Discovery – T1033
System Time Discovery – T1124
Uncommonly Used Port – T1065
User Execution – T1204
Software: HOPLIGHT – S0376
