The Advanced Persistent threat group Hidden Cobra gets its Hacking tools exposed by the US security department
An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state sponsored groups conducting large-scale targeted intrusions for specific goals.
Recently, The Hacking tools of Hidden Cobra got exposed by the US Federal Bureau and Homeland Security. The disclosure was the result of a broad government effort to combat the advanced persistent threat group, who have been active for a number of years.
According to the US Computer Emergency Readiness Team (US-CERT), the company has released Malware Analysis Report (MARs) for tools named: Copperhedge, Taintedscribe, and Pebbledash which the agencies said come from the toolbox of Hidden Cobra.
The information contained in the alerts and MARs listed above is the result of analytic efforts between the U.S. Department of Homeland Security, the U.S. Department of Defense, and the Federal Bureau of Investigation to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
However, the tools used by the Hidden Cobra allow them to remotely access the systems and install spyware and steal the information available on the system.
The Document made by the US-CERT includes Malware samples with descriptions, suggested response actions, and recommended mitigation techniques to help companies identify and fight attacks by North Korean state-sponsored actors.
The Malware affected over 300,000 machines in 150 countries said the government on an auspicious date—the third anniversary of the infamous WannaCry attack.
Copperhedge is a full-featured remote access tool that can run arbitrary commands, performing system reconnaissance, and exfiltrate data, according to its documentation. It is one of six distinct variants of the malware classified under a family of tools called Manuscrypt; each variant is categorized based on common code and a common class structure
Taintedscribe is a full-featured beaconing implant, including its command modules. Samples posted uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register algorithm
according to US-CERT.
The main executable of this tool disguises itself as Microsoft’s Narrator to download a command execution module from a command and control (C2) server. At this point, Tainted Scribe can download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration
Pebbledash also is a full-featured beaconing implant that also uses FakeTLS for session authentication as well as for network encoding using RC4, but without command modules, according to the post. This piece of malware can download, upload, delete and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration
according to US-CERT.
Last year, Hidden Cobra struck again, using a never-before-seen spyware variant called Hoplight to target U.S. companies and government agencies in active attacks.