Hidden Cobra Adds To Its Malware Arsenal: CISA

The DHS Cybersecurity
and Infrastructure Security Agency (CISA) and the Federal Bureau of
Investigation have released a report on six new or upgraded malware variants
being used by North Korea.

The malware
types included are Bistromath, Slickshoes, Crowdedflounder, Hotcroissant,
Artfulpie, Buffetline and Hoplight. Hoplight is a previously recorded malware
believed to be used by the North Korean cyberespionage group Hidden Cobra. All the new
malware types are also used by Hidden Cobra, according to CISA.

Bistromath,
also used by Hidden Cobra, is basically a full-featured RAT implant executable
and multiple versions of the CAgent11 GUI implant controller/builder. It
performs simple XOR network encoding and can conducting system surveys, file
upload/download, process and command execution, can listen to audio microphone,
view the clipboard and the screen. The GUI controllers allow interaction with
the implant as well as the option to dynamically build new implants with
customized options.

Slickshoes is
a Themida-packed dropper that decodes and drops a file
“C:WindowsWebtaskenc.exe” which is a Themida-packed beaconing
implant. This beacon does not execute the dropped file nor does it schedule any
tasks to run the malware, instead it uses an indigenous network encoding
algorithm to conducting system surveys, file upload/download, process and
command execution and screen captures.

Crowdedflounder
is a Themida-packed 32-bit Windows executable that can unpack and execute a RAT
binary in memory. Other features include the ability to listen as a proxy for
incoming connections containing commands or can connect to a remote server to
receive commands.

Hotcroissant
is another full-featured beaconing implant that performs a custom XOR network
encoding and can conduct system surveys, upload and download files, process and
command execution and perform screen captures.

Artfulpie is
an implant that downloads data and handles in-memory loading and execution of a
DLL from a hardcoded URL.

Buffetline is
the third full featured implant listed. It uses PolarSSL for session
authentication, but switches to a FakeTLS scheme for network encoding using a
modified RC4 algorithm. The malware has the capability to download, upload,
delete, and execute files; enable Windows CLI access; create and terminate
processes; and perform target system enumeration.

Topics:

Cyberespionage Government/Defense

Source: https://www.scmagazine.com/home/security-news/malware/hidden-cobra-adds-to-its-malware-arsenal-cisa/

Generative Data Intelligence

Hidden Cobra adds to its malware arsenal: CISA

Topics:

Honda Launches 3 New Electric Cars … In China, For China – CleanTechnica

US Air Force says AI-controlled F-16 has fought humans

Latest Intelligence

Artificially: Learn to use Artificial Intelligence crowdfunding opportunity project pitch by Indiegogo

Lightning Kayaks AIR 9: Inflatable Pedal Board crowdfunding opportunity project pitch by Indiegogo

Quest 2 Accessory Prices Cut By More Than 50%

How the halving will impact the Bitcoin market

USA Pulls Mexico Into Its Anti-Chinese EVs Policies – CleanTechnica

Chinese scientists claim breakthrough in detecting F-22 stealth jets: F-22 stealth threatened? – Tech Startups

Chat with us