Destructive Trojan SHARPKNOT Used by North Korean APT Group

On March 28, the National Cybersecurity and Communications Integration Center (NCCIC) released a Malware Analysis Report (MAR) detailing analysis from the US DHS and FBI on a newly identified trojan variant dubbed “SHARPKNOT,” used in cyber operations conducted by North Korean advanced persistent threat (APT) group HIDDEN COBRA, aka Lazarus Group. The malware targets systems running Windows OS and is executed via the command line. Once executed, the malware first attempts to disable the “System Event Notification” and the “Alerter” services, the latter is only present in End-of-Life (EOL) operating systems Windows XP and Windows 2003. The malware then overwrites and deletes the Master Boot Record (MBR) and deletes files on mapped network shares and physically connected storage devices. Once the malware has deleted these files, the system is rebooted and left inoperable. The NJCCIC recommends those who could be considered targets for North Korean APT cyber operations review the NCCIC MAR for more information on the SHARPKNOT trojan, scan their network using the YARA rule and Indicators of Compromise (IoCs) provided, and add the STIX file to their threat intelligence sharing platform. If your organization has been impacted by the activity outlined in the MAR, the NJCCIC recommends immediately removing the affected systems from your network and contacting the NJCCIC via the Cyber Incident Report Form or by calling 609-963-6900 ext. 7865. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; keep antivirus, hardware, and software up-to-date; disable unnecessary services on workstations and servers; and establish strong identity and access management controls, including multi-factor authentication. Additionally, users and administrators can better protect their MBR by installing MBR Filter, a Windows disk filter released by Cisco Talos that blocks write access to the MBR, available on GitHub. The NJCCIC makes no claim as to the effectiveness of this tool and users are advised to exercise caution when downloading and installing any software from the internet.