Show vulnerabilities with patch / with exploit
17 February 2020

US authorities released new info about North Korean malware


US authorities released new info about North Korean malware

US Cyber Command, the Department of Homeland Security, and the Federal Bureau of Investigations have published six new Malware Analysis Reports (MARs) related to malicious cyber activity from North Korea. The released MARs are related to new malware families involved in new attacks conducted by North Korea-linked HIDDEN COBRA group (aka Lazarus group).

“Each of these MARs is designed to enable network defenders to identify and reduce exposure to North Korean government malicious cyber activity”, CISA says.

CISA urges all users and administrators to carefully review these MARs for each malware variant listed below.

AR20-045A — BISTROMATH (a full-featured RAT implant executable)

AR20–045B — SLICKSHOES (Themida-packed dropper that decodes and drops a file "C:\Windows\Web\taskenc.exe" which is a Themida-packed beaconing implant)

AR20-045C — CROWDEDFLOUNDER (a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory)

AR20-045D — HOTCROISSANT (beaconing implant with variety of functions including the ability to conduct system surveys, upload/download files, execute processes and commands, perform screen captures)

AR20-045E — ARTFULPIE (an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL)

AR20-045F — BUFFETLINE (a full-featured beaconing implant).

The agencies also updated MARs report that includes information about the HOPLIGHT proxy-based backdoor Trojan that was first exposed in April 2019.

US Cyber Command also uploaded malware samples to VirusTotal noting that these tools are currently being used by threat actors for phishing and remote access in order to “steal funds and evade sanctions”.

Back to the list

Latest Posts

Vulnerability summary for the week: April 3, 2020

Vulnerability summary for the week: April 3, 2020

Weekly vulnerability digest.
3 April 2020
Someone’s wiped out over 15,000 unprotected Elasticsearch servers

Someone’s wiped out over 15,000 unprotected Elasticsearch servers

The attacks have started around March 24 and appear to be carried out using an automated script.
3 April 2020
DarkHotel hackers exploited flaws in Firefox and IE in attacks on China, Japan

DarkHotel hackers exploited flaws in Firefox and IE in attacks on China, Japan

In the attacks the hackers downloaded the Gh0st RAT on victims' machines.
3 April 2020