On the three-year anniversary of WannaCry, US exposes new North Korean malware

Today, US cyber-security officials have published details about three malware strains that have been used by North Korea’s government-sponsored hackers to attack targets all over the world.

The announcement coincided with the three-year anniversary of the WannaCry ransomware outbreak, which US officials have formally blamed on the Pyongyang regime, and have even gone as far as to press charges against one of the hackers.

The three malware strains exposed today are named:

COPPERHEDGE – a remote access trojan (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Six different variants identified.
TAINTEDSCRIBE – a malware implant (trojan) that’s installed on hacked systems to receive and execute the attacker’s commands. These samples use FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator.
PEBBLEDASH – another implant. This one has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) published official advisories for the three malware strains on its website.

US Cyber Command has also uploaded samples for the three malware strains on its VirusTotal account.

Costin Raiu, a malware analyst for Kaspersky’s GReAT, confirmed that the three malware strains were linked to known North Korean threat groups. Per Raiu, the samples contained code similarities with Manuscrypt, a known North Korean malware family, which Kaspersky had discovered in 2017.

But besides the WannaCry three-year anniversary, today is also the three-year anniversary since the US government has started publishing alerts on North Korean malware and hacking activity on its website.

Since May 12, 2017, the DHS has published reports on 28 malware samples on its website.

The general train of thought was that by publishing easily available information on these malware strains, the public and private sector could deploy detection rules to block attacks involving these tools, forcing North Korean hackers to regularly work on new versions that can bypass security checks, instead of reaping the rewards from their hacking operations.