{"id":1006,"date":"2018-06-05T16:03:48","date_gmt":"2018-06-05T16:03:48","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=1006"},"modified":"2020-05-06T10:27:05","modified_gmt":"2020-05-06T17:27:05","slug":"hidden-cobra-attacks-again-using-rat-and-smb-malware","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/hidden-cobra-attacks-again-using-rat-and-smb-malware\/","title":{"rendered":"Hidden Cobra Attacks Again using RAT and SMB Malware"},"content":{"rendered":"

On May 29th, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published two\u00a0joint technical alerts<\/a>\u00a0(JTAs) disclosing and describing threat indicators associated with the Joanap remote access tool (RAT) and the Brambul Server Message Block (SMB) worm. The alert attributes use of these malwares to the North Korean government (PRK) and Hidden Cobra activity. Hidden Cobra is a North Korean state sponsored cyber unit that has been targeting several industries using various sophisticated attacks. This investigation revealed 87 compromised network nodes across 17 countries, and the FBI reports a high level of confidence that compromised devices operating from the IP addresses mentioned in the report are used in ongoing HIDDEN COBRA campaigns.<\/p>\n

According to the report, HIDDEN COBRA actors have likely used Joanap and Brambul malware since at least 2009, to target multiple victims including several from the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Additionally, DHS and the FBI recommend reviewing information related to Joanap and Brambul from the\u00a0Operation Blockbuster Destructive Malware Report<\/a>.<\/p>\n

Joanap Remote Access Trojan<\/strong><\/p>\n

The Joanap Trojan Backdoor is a remote access tool (RAT) which targets computers running Microsoft Windows operating systems. It has features for peer-to-peer communication, data exfiltration, proxying network traffic, and downloading and executing additional malware which could extend the attackers capabilities. The Joanap RAT is typically downloaded without the system owner\u2019s knowledge as a secondary infection.\u00a0 HIDDEN COBRA and other threat actors often compromise legitimate domains in order to infect systems visiting the site as well as distribute the malware through email.<\/p>\n

Notable functions for Joanap include:<\/p>\n