It contains built-in functions for remote operations that provide various capabilities on a victim’s system.įor a downloadable copy of IOCs, see MAR-10295134-1.v1.stix. The DLL "iconcache.db" unpacks and executes a variant of Hidden Cobra RAT. GPG SUITE 2017.1 REMOVE FORM CA INSTALLA 32-bit and a 64-bit DLL was submitted that install a 32-bit and a 64-bit DLL named "iconcache.db" respectively. docx files attempt to connect to external domains for a download. The threat actor whose activity is described in this report may have included images of logos and products, such as the examples in this report, as a part of a social engineering strategy.ĬISA received four Microsoft Word Open Extensible Markup Language (XML) documents (.docx), two Dynamic-Link Libraries (DLLs). Users or administrators should flag activity associated with the malware and report the activity to CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. CISA and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim's system. The malicious documents employed in this campaign used job postings from leading defense contractors as lures and installed a data gathering implant on a victim's system. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies. For more information on HIDDEN COBRA activity, visit https//FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. This malware variant has been identified as BLINDINGCAN. Government partners, DHS and FBI identified Remote Access Trojan (RAT) malware variants used by the North Korean government. This Malware Analysis Report (MAR) is the result of analytic efforts between Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). For more information on the Traffic Light Protocol (TLP), see. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. This document is marked TLP:WHITE-Disclosure is not limited. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. This report is provided "as is" for informational purposes only.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |