US Cybersecurity Officials Expose 3 New Strains Of North Korean Malware

U.S. cybersecurity officials expose three new malware strains that have been used by hackers sponsored by the North Korean government to attack various targets over the world. The announcement was made Tuesday (May 12), on the three-year anniversary of WannaCry outbreak. The ransomware was formally blamed on the North Korean regime, and charges were pressed against one of the hackers.

The three new malware strains recently announced are called COPPERHEDGE, PEBBLEDASH, and TAINTEDSCRIBE:

• COPPERHEDGE - a remote access trojan (RAT) malware able to perform system reconnaissance, to run arbitrary commands, and to exfiltrate data. To date, were identified six different variants of this malware.
• PEBBLEDASH – a malware implant. This piece of software has the ability to delete, upload, download, and execute files. The malware can also enable Windows CLI access, perform target system enumeration, terminate, and create processes.
• TAINTEDSCRIBE - another malware implant (trojan). It is installed on hacked systems in order to receive and execute the hacker's commands. These commands use FakeTLS for network encryption and session authentication by using a Linear Feedback Shift Register (LFSR) type of algorithm. The main executable file is able to disguise as Microsoft's Narrator.

According to ZDNet, a malware analyst for Kaspersky's GReAT, Costin Raiu, has confirmed the connection between known North Korean hacker groups and the three new malware strains. According to Raiu, the samples show code similarities with a known North Korean malware family discovered by Kaspersky in 2017 and called Manuscrypt.

Besides the three-year anniversary of the WannaCry ransomware outbreak, May 12 is also marking the three-year anniversary since the United States government has started publishing on its official website alerts on North Korean hacking and malware activity. The DHS has published, since May 12, 2017, reports on as much as 28 North Korean malware samples.

The official website of the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) published advisories for the three new malware strains. The VirusTotal account of the U.S. Cyber Command has also uploaded samples for the COPPERHEDGE, PEBBLEDASH, and TAINTEDSCRIBE malware strains.

By publishing easily available information on North Korean malware strains, the private and public sectors could get prepared and deploy detection rules to block these malware attacks. This is forcing hackers sponsored by the North Korean government to regularly work on new versions in order to bypass security checks.