Joanap and Brambul Malware has come from North Korea that has infected numerous Microsoft Windows computers globally over the last decade. On 30th January 2019 United States Department of Justice (DoJ) announced that, its effort to map and further disrupt a botnet that has tied to North Korea.

Overview

HIDDEN COBRA actors are using both Joanap and Brambul malware to target multiple victims globally from 2009 and in the United States.

The Hidden Cobra is the same hacking group that was allegedly associated with the WannaCry ransomware, the SWIFT Banking attack, as well as Sony Motion Pictures hacking.

The Department of Homeland Security, DoJ and FBI further investigate and found that IP addresses and indicator of compromise (IOCs) used by North Korean government associated with two malware.

  • Joanap, also known as Remote Access Tool (RAT)
  • Brambul, also known as Server Message Block (SMB) worm.

Description

Joanap: It is a backdoor Trojan and also known as Remote access tool (RAT) is a type of malware, which lands on victims system used by government of North Korea. It enters with the help of SMB worm known as Brambul.

Brambul: It also known as SMB worm is type of malware, which is malicious to Windows 32-bit SMB. It enters through SMB and dropped Joanap on the infected windows systems. As Joanap is, install in system it open a backdoor for its HIDDEN COBRA masterminds and giving them remote control over the network of infected systems.

Working

Joanap

It is a type of malware also known as remote access tool. It is a two-stage malware, which means another software drops it, in this case Brambul worm, which download Joanap in infected windows system. Joanap then establish peer-to-peer communications and used to manage botnets that are designed to enable other operations. After successfully installation of Joanap on Infected windows systems, it opens a backdoor for its HIDDEN COBRA actors with the ability to steal the data, exfiltration of data, drop and run secondary payloads and giving them remote control over the network of infected systems. It includes other notable functions file management, Process management, Creation and deletion of directories, Node management and initialize proxy communications on a compromised windows device.

After executing Trojan, it creates the following files:

  • %System%\scardprv.dll
  • %System%\wcssvc.dll
  • %System%\mssscardprv.ax

The Trojan then creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\Security\”Security” = “[HEXADECIMAL VALUE]”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\Parameters\”ServiceDll” = “%System%\scardprv.dll”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”Type” = “20”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”Start” = “2”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”ObjectName” = “LocalSystem”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”ImagePath” = “%System%\svchost.exe -k SCardPrv”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”ErrorControl” = “1”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\”DisplayName” = “SmartCard Protector”

Further analysing and investigating, found that the malware encode data using RC4 cipher encryption to its communication with HIDDEN COBRA actors. After Joanap Installed, the malware creates the log entry within the window system directory in a file name as mssscardprv.ax. Which uses by HIDDEN COBRA actors to capture and store victim’s sensitive information use.

Brambul

It is a type of malware also known as SMB worm, which is malicious to Windows 32-bit SMB that functions as a service dynamic library file or a portable executable file get dropped and installed into victims systems by dropper malware. It enters through SMB and dropped Joanap on the infected windows systems. After successful installation, the malware established contact with victims systems and IP addresses on victims local subnets.

A successful attack lead malware to gain unauthorized access via the SMB protocol (Port no. 445 and 139). It gains unauthorized access by launching a brute-force password using a list of known and common passwords. After successfully bypass login, the malware generates random IP addresses for further attacks. It communicates information about victims systems to HIDDEN COBRA actors using malicious email addresses. This information includes of Sensitive Information, IP address and hostname, as well as the username and password of each victims system.

It identified the following built-in-functions for remote operations:

  • Harvesting system information.
  • Accepting command-line arguments.
  • It generates and executes a suicide script.
  • It propagates across the network using SMB.
  • Bypass SMB login credential by Brute forcing
  • Creating Simple Mail Transport Protocol and used to the email messages containing target host system information.

The U.S. Government analyse the infrastructure used by Joanap malware and identified 87 compromised network nodes. The following countries are where the infected IP addresses are registered are as follows:

ArgentinaEgyptSpain
BelgiumIndiaSri Lanka
BrazilIranSweden
CambodiaJordanTaiwan
ChinaPakistanTunisia
ColombiaSaudi Arabia


Impact

  • Joanap is a malicious Trojan virus, which attacks remote computers. It opens backdoors entry for remote attackers to provide access on user’s computer.
  • Joanap is a malicious program, which has developed by cybercriminals to gain illegal income.
  • Once getting control over the system, Joanap exhibits unpreventable behaviour. It asks to do a fake update of already installed programs or software in the system.
  • It slows down system processing and interrupts normal functionality of Computer systems, it also disables task manager, control panel, firewalls etc.
  • It leaves a bad impact on web browsers like Chrome/IE/Firefox to do illegal tasks. It changes the default setting to redirect users to unknown sites and replaces the original homepage and new tab with its fake one
  • It monitors activities of users such as session ids, browsing history, Downloads, bookmarks, search queries, cookies, etc. and gather all credential and personal information to perform cybercrime and earn money.

Mitigation

  • Attacker target vulnerable applications and operating systems. Up-todate operating systems and software with the latest patches, patching with latest updates reduce the risk of exploitation available to an attacker.
  • Use a firewall to block all incoming connections from the Internet that are hazardous for organization and should not be publicly available.
  • Scan all the software downloaded from the internet before executing and maintain up to date antivirus software.
  • Deny all incoming connections if it is not required and only allow services you explicitly want to offer to the outside world.
  • Disable printers, files and sharing service, If not required by the organization.
  • If services are required, use complex passwords as it makes it difficult to crack.
  • Do user awareness programme, train your employee and organization not to open email or messages attachments unless they are expecting.

References:

https://thehackernews.com/2019/01/north-korea-hacker.html

https://www.symantec.com/security-center/writeup/2015-092507-0410-99#removal

Author,

Saksham Jaiswal

Attack & PenTest Team

Varutra Consulting