DHS and FBI Issue Alert on North Korean APT

The US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint Technical Alert (TA) detailing the IP addresses and additional indicators of compromise (IOCs) associated with two malware variants used in cyber operations conducted by the North Korean advanced persistent threat (APT) group Hidden Cobra, also known as Lazarus Group. The alert provides .csv and .stix files containing the IOCs for a remote access trojan (RAT) known as Joanap and a Server Message Block (SMB) worm known as Brambul that can be downloaded and used by network defenders to reduce their exposure to related malicious cyber activity. The FBI has high confidence that Hidden Cobra is using the IP addresses provided in the TA to maintain persistence on victims’ systems and enable network exploitation. The National Cybersecurity and Communications Integration Center (NCCIC) conducted technical analysis on the two malware variants and published a Malware Analysis Report (MAR) that examines the tactics, techniques, and procedures observed. The NJCCIC recommends users and administrators review the TA and associated MAR, scan their networks for the IOCs provided in the reports, and implement the recommended mitigation strategies. If associated Hidden Cobra activity is detected, isolate the affected system(s) from the network immediately, and report the incident to the NJCCIC and the NCCIC or FBI CyWatch.