CISA, FBI and DOD Issue Warning on North Korea-Linked Malware


New threat variants allow Hidden Cobra to remotely access and control systems—and banks should look sharp.

Federal agencies urge entities to take countermeasures to seven variants of malware associated with North Korea—or Hidden Cobra, as U.S. officials refer to it in a cyber context. 

Included in the group was remote access trojan, or RAT, malware, which, if executed, could allow hackers the ability to navigate through a user’s system and perform actions such as uploading and downloading files as well as monitoring their microphone, clipboard and screen. 

“Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation,” said the agencies, who released the analysis today along with the Defense Department. 

CISA, the Office of the Director of National Intelligence and the National Security Agency have committed to sharing more information on cyber threats publicly so the private sector can harden its defenses against them in a timely manner.  

CISA did not say why the warning was coming at this particular point, but close observers recently noted advances in North Korean efforts to circumvent sanctions, also the motivation for the ransomware attacks typically associated with the nation-state.

North Korea's primary mission is to raise funds for the regime, Wesley McGrew, director of cyber operations at the security firm HORNE Cyber told Nextgov, raising a red flag specifically for the financial sector.

“Long-term, sanctions and self-imposed isolation has a negative impact on their ability to conduct trade and raise funds in legitimate ways,” McGrew said. “This will result in a greater urgency for them to conduct criminal/financial cyber operations, which they've been successful with in the past. I'd expect to see more ransomware and banking malware from them.”

McGrew said, “their cyber operations are agile and diverse, in that they will adjust to whatever tradecraft is necessary or most profitable.”

Among the malware analyzed, one called “BUFFETLINE” has the ability to delete files and create and terminate processes. Others, such as “SLICKSHOES,” and “HOTCROISSANT” have the ability to execute screen captures.

CISA’s recommendations for shoring up security are largely the same across the threat variants and included basic cybersecurity practices such as maintaining up-to-date antivirus signatures and operating system patches, using strong passwords or active directory authentication, and restricting users' permission to install and run unwanted software applications.

The mitigations also included scripts for decrypting and extracting embedded files.