![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2019\/04\/Joanap-and-Brambul-Malware-1024x535.png\" "\\"Joanap")
<\/p>\n<\/p>\n
Joanap and Brambul Malware has come from North Korea that has infected numerous Microsoft Windows computers globally over the last decade. On 30th<\/sup>\u00a0January 2019 United States Department of Justice (DoJ) announced that, its effort to map and further disrupt a botnet that has tied to North Korea.<\/p>\n <\/p>\n HIDDEN COBRA actors are using both Joanap and Brambul malware to target multiple victims globally\u00a0from 2009 and in the United States.<\/p>\n The Hidden Cobra is the same hacking group that was allegedly associated with the WannaCry ransomware, the SWIFT Banking attack, as well as Sony Motion Pictures hacking.<\/p>\n The Department of Homeland Security, DoJ and FBI further investigate and found that IP addresses and indicator of compromise (IOCs) used by North Korean government associated with two malware.<\/p>\n <\/p>\n Joanap: It is a backdoor Trojan and also known as Remote access tool (RAT) is a type of malware, which lands on victims system used by government of North Korea. It enters with the help of SMB worm known as Brambul.<\/p>\n Brambul: It also known as SMB worm is type of malware, which is malicious to Windows 32-bit SMB. It enters through SMB and dropped Joanap on the infected windows systems. As Joanap is, install in system it open a backdoor for its HIDDEN COBRA masterminds and giving them remote control over the network of infected systems.<\/p>\n <\/p>\n It is a type of malware also known as remote access tool. It is a two-stage malware, which means another software drops it, in this case Brambul worm, which download Joanap in infected windows system. Joanap then establish peer-to-peer communications and used to manage botnets that are designed to enable other operations. After successfully installation of Joanap on Infected windows systems, it opens a backdoor for its HIDDEN COBRA actors with the ability to steal the data, exfiltration of data, drop and run secondary payloads and giving them remote control over the network of infected systems. It includes other notable functions file management, Process management, Creation and deletion of directories, Node management and initialize proxy communications on a compromised windows device.<\/p>\n After executing Trojan, it creates the following files:<\/p>\n The Trojan then creates the following registry entries:<\/p>\n Further analysing and investigating, found that the malware encode data using RC4 cipher encryption to its communication with HIDDEN COBRA actors. After Joanap Installed, the malware creates the log entry within the window system directory in a file name as mssscardprv.ax. Which uses by HIDDEN COBRA actors to capture and store victim\u2019s sensitive information use.<\/p>\n <\/p>\n It is a type of malware also known as SMB worm, which is malicious to Windows 32-bit SMB that functions as a service dynamic library file or a portable executable file get dropped and installed into victims systems by dropper malware. It enters through SMB and dropped Joanap on the infected windows systems. After successful installation, the malware established contact with victims systems and IP addresses on victims local subnets.<\/p>\n A successful attack lead malware to gain unauthorized access via the SMB protocol (Port no. 445 and 139). It gains unauthorized access by launching a brute-force password using a list of known and common passwords. After successfully bypass login, the malware generates random IP addresses for further attacks. It communicates information about victims systems to HIDDEN COBRA actors using malicious email addresses. This information includes of Sensitive Information, IP address and hostname, as well as the username and password of each victims system.<\/p>\n It identified the following built-in-functions for remote operations:<\/p>\n The U.S. Government analyse the infrastructure used by Joanap malware and identified 87 compromised network nodes. The following countries are where the infected IP addresses are registered are as follows:<\/p>\n <\/p>\n <\/p>\n https:\/\/thehackernews.com\/2019\/01\/north-korea-hacker.html<\/a><\/p>\nOverview of Joanap and Brambul Malware<\/strong><\/h3>\n
\n
Description<\/strong><\/h3>\n
Working<\/strong><\/h3>\n
Joanap<\/strong><\/h4>\n
\n
\n
Brambul<\/strong><\/h4>\n
\n
\n\n
\n Argentina<\/td>\n Egypt<\/td>\n Spain<\/td>\n<\/tr>\n \n Belgium<\/td>\n India<\/td>\n Sri Lanka<\/td>\n<\/tr>\n \n Brazil<\/td>\n Iran<\/td>\n Sweden<\/td>\n<\/tr>\n \n Cambodia<\/td>\n Jordan<\/td>\n Taiwan<\/td>\n<\/tr>\n \n China<\/td>\n Pakistan<\/td>\n Tunisia<\/td>\n<\/tr>\n \n Colombia<\/td>\n Saudi Arabia<\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\nImpact of Joanap and Brambul Malware<\/strong><\/h3>\n\n
Mitigation<\/strong><\/h3>\n
\n
References:<\/strong><\/h3>\n