US authorities have provided more details of two pieces of malware which, they said, are used by North Korean hackers to infiltrate computer systems and steal passwords and other data.
The Department of Homeland Security and the FBI said that North Korean hackers have been using both Joanap, a remote access tool (RAT), and Brambul, a Server Message Blockworm, since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors.
In a security alert, the agencies warn that Joanap can receive commands issued by the hackers remotely from a command-and-control server. It typically infects a system as a file delivered by other malware, which users unknowingly download either when they visit sites compromised by the hackers, or when they open malicious email attachments.
The malware gives North Korea's hackers -- which the agencies refer to by the code-name 'Hidden Cobra' -- the ability to steal data, run further malware and initialise proxy communications on a compromised Windows device. Other functions include file management, process management, creation and deletion of directories and node management.
During analysis of the infrastructure used by Joanap malware, the US government has identified 87 compromised network nodes used as part of the hacking campaign in countries including Argentina, Belgium, Brazil, Cambodia, China, Colombia, Egypt, India, Iran, Jordan, Pakistan, Saudi Arabia, Spain, Sri Lanka, Sweden, Taiwan and Tunisia.
The agencies said the Brambul malware is a brute-force worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim's networks.
Brambul is a malicious Windows 32-bit SMB worm often installed onto victims' networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims' local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol by launching brute-force password attacks using a list of embedded passwords. It also generates random IP addresses for further attacks.
Once the malware has gained unauthorized access, it communicates information about victim's systems to the hackers via email, including the IP address and host name -- as well as the username and password -- of each victim's system.
Deterring North Korea's hackers has proved difficult, but by going public with some of the information about the malware the US agencies can make it easier for companies to protect themselves from the attacks.
The alert advised organisations to keep operating systems and software up-to-date with the latest patches, as most attacks target vulnerable applications and operating systems.
"Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker," the alert said.
Other common-sense security recommendations include keeping antivirus software up-to-date, and restricting users' abilities to install and run unwanted software applications.
More on cybersecurity
- Governments and nation states are now officially training for cyberwarfare: An inside look
- The new art of war: How trolls, hackers and spies are rewriting the rules of conflict
- Inside the secret digital arms race: Facing the threat of a global cyberwar
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- The impossible task of counting up the world's cyber armies
- Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you
- In the grey area between espionage and cyberwar
- NSA chief: This is what a worst-case cyberattack scenario looks like
- Why the CIA's iOS, Android and Windows hack stockpile puts zero-day hoards in the spotlight