US-CERT warns of new RAT threat from North Korea

By on
US-CERT warns of new RAT threat from North Korea

State-sponsored malware writers sharing code.

The United States Computer Emergency Readiness Team (US-CERT) has issued a fresh warning that a new piece of malware believed to be created by North Korean government actors is on the lose on networks around the world.

Known as KEYMARBLE, the malware is a Remote Access Trojan (RAT), US-CERT said and cautioned users against opening attachments in emails, even when the sender appears to be known.

The RAT is a 32-bit Windows executable that can access device configuration data, download further files, run commands, modify the Windows Registry configuration and settings database, take screenshots and exfiltrate data, according to the Malware Analysis Report (MAR) by US-CERT.

US-CERT believes KEYMARBLE is disseminated by a North Korean hacking group called Hidden Cobra, which could be linked to other government-sponsored malware authors in the reclusive communist dictatorship, research by security vendors Intezer and McAfee show.

Intezer and McAfee say they have been able to link multiple North Korean hacking groups through significant code reuse in the malware utilised by them for attacks, after months of research and data gathering.

This includes the infamous WannaCry destructive malware, that used the same Windows Server Message Block (SMB) file sharing protocol module as the Mydoom, Joanap and DeltaAlfa malicious programs did.

The above malware has been attributed to North Korean hacking group Lazarus.

Intezer and McAfee said the Lazarus group has reused the SMB module from at least 2009 to 2017.

"From the Mydoom variant Brambul to the more recent Fallchill, WannaCry, and the targeting of cryptocurrency exchanges, we see a distinct timeline of attacks beginning from the moment North Korea entered the world stage as a significant threat actor," Intezer scientist Christiaan Beek and security researcher Jay Rosenberg wrote.

Apart from Lazarus, the security researchers believe Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy and 10 Days of Rain are North Korean and share code with one another.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
hidden cobra keymarble lazarus group malware north korea security us cert wannacry
In Partnership With

Most Read Articles

Wipro hacked, internal systems used to attack customers: report

Wipro hacked, internal systems used to attack customers: report
Vodafone makes aggressive play for 100Mbps NBN users

Vodafone makes aggressive play for 100Mbps NBN users
Optus sets $85 a month as its new entry-level NBN price

Optus sets $85 a month as its new entry-level NBN price
Photos: Inside Downer's "trains with brains" depot

Photos: Inside Downer's "trains with brains" depot
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Stop Parasites on your Network with Sophos
Stop Parasites on your Network with Sophos
Stop your Oracle database slowing down your business
Stop your Oracle database slowing down your business
How Macquarie University has prepared for fire and flood
How Macquarie University has prepared for fire and flood
Guide to Fully-Composable Software-Defined Private Cloud
Guide to Fully-Composable Software-Defined Private Cloud
Is slow data silently killing your business? Here's why you should care.
Is slow data silently killing your business? Here's why you should care.

Events

Log In

Username / Email:
Password:
  |  Forgot your password?