​Security alert: Watch out for password-stealing malware says FBI

North Korean malware can steal data and spread across networks.
Written by Steve Ranger, Global News Director

US authorities have provided more details of two pieces of malware which, they said, are used by North Korean hackers to infiltrate computer systems and steal passwords and other data.

The Department of Homeland Security and the FBI said that North Korean hackers have been using both Joanap, a remote access tool (RAT), and Brambul, a Server Message Blockworm, since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors.

In a security alert, the agencies warn that Joanap can receive commands issued by the hackers remotely from a command-and-control server. It typically infects a system as a file delivered by other malware, which users unknowingly download either when they visit sites compromised by the hackers, or when they open malicious email attachments.

See: Special report: Cybersecurity in an IoT and mobile world (free PDF)

The malware gives North Korea's hackers -- which the agencies refer to by the code-name 'Hidden Cobra' -- the ability to steal data, run further malware and initialise proxy communications on a compromised Windows device. Other functions include file management, process management, creation and deletion of directories and node management.

During analysis of the infrastructure used by Joanap malware, the US government has identified 87 compromised network nodes used as part of the hacking campaign in countries including Argentina, Belgium, Brazil, Cambodia, China, Colombia, Egypt, India, Iran, Jordan, Pakistan, Saudi Arabia, Spain, Sri Lanka, Sweden, Taiwan and Tunisia.

The agencies said the Brambul malware is a brute-force worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim's networks.

Brambul is a malicious Windows 32-bit SMB worm often installed onto victims' networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims' local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol by launching brute-force password attacks using a list of embedded passwords. It also generates random IP addresses for further attacks.

See: What is phishing? How to protect yourself from scam emails and more

Once the malware has gained unauthorized access, it communicates information about victim's systems to the hackers via email, including the IP address and host name -- as well as the username and password -- of each victim's system.

Deterring North Korea's hackers has proved difficult, but by going public with some of the information about the malware the US agencies can make it easier for companies to protect themselves from the attacks.

The alert advised organisations to keep operating systems and software up-to-date with the latest patches, as most attacks target vulnerable applications and operating systems.

"Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker," the alert said.

Other common-sense security recommendations include keeping antivirus software up-to-date, and restricting users' abilities to install and run unwanted software applications.

More on cybersecurity

Editorial standards