US Cyber Command, the Department of Homeland Security, and the Federal Bureau of Investigations have published six new Malware Analysis Reports (MARs) related to malicious cyber activity from North Korea. The released MARs are related to new malware families involved in new attacks conducted by North Korea-linked HIDDEN COBRA group (aka Lazarus group).
“Each of these MARs is designed to enable network defenders to identify and reduce exposure to North Korean government malicious cyber activity”, CISA says.
CISA urges all users and administrators to carefully review these MARs for each malware variant listed below.
AR20-045A — BISTROMATH (a full-featured RAT implant executable)
AR20–045B — SLICKSHOES (Themida-packed dropper that decodes and drops a file "C:\Windows\Web\taskenc.exe" which is a Themida-packed beaconing implant)
AR20-045C — CROWDEDFLOUNDER (a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory)
AR20-045D — HOTCROISSANT (beaconing implant with variety of functions including the ability to conduct system surveys, upload/download files, execute processes and commands, perform screen captures)
AR20-045E — ARTFULPIE (an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL)
AR20-045F — BUFFETLINE (a full-featured beaconing implant).
The agencies also updated MARs report that includes information about the HOPLIGHT proxy-based backdoor Trojan that was first exposed in April 2019.
US Cyber Command also uploaded malware samples to VirusTotal noting that these tools are currently being used by threat actors for phishing and remote access in order to “steal funds and evade sanctions”.
