US authorities reveal new North Korean malware to mark WannaCry attack anniversary

Three years have passed since the WannaCry ransomware epidemic, which affected companies and organizations around the world, and the landscape of information security has forever changed. In honor of WannaCry attacks anniversary, US authorities talked about a new North Korean malware.

Researchers and authorities unanimously blamed in the incident North Korean hackers, and the US government even charged in absentia to a certain suspect.

Recall that a US court found guilty in cybercrimes hacker Markus Hutchins, who stopped WannaCry.

This week, to celebrate the anniversary, specialists from the FBI, the US Department of Defense and the Cybersecurity and Infrastructure Protection Agency, organized by the US Department of Homeland Security (DHS CISA), revealed authorship of the malware, attributed to North Korean hack group Lazarus, also known like Hidden Cobra. New malware was not only described in the report, but also downloaded samples on VirusTotal.

“US authorities have been publishing information about the North Korean malware since 2017, and to date, 28 different threats have already been revealed. The idea of this initiative is to make information about the malware public and accessible. Then the public and private sectors will be able to easily detect and block attacks using the described malware, and this will complicate the life of North Korean hackers, forcing them to constantly work on new versions of their tools, exploits and malware”, – says the report.

This week, the following threats were made public:

COPPERHEDGE – Remote Access Trojan (RAT), capable of launching arbitrary commands, performing reconnaissance and stealing data. Six different options were discovered.

TAINTEDSCRIBE is a malicious implant (trojan) that is installed on hacked systems to receive and execute malicious commands. Uses FakeTLS for session authentication, and uses Linear Feedback Shift Register (LFSR) algorithm for encryption. The main executable is disguised as Microsoft’s Narrator.

PEBBLEDASH – another implant that has the ability to download, upload, delete and execute files; Enable Windows CLI Access create and complete processes, and so on.

Kaspersky Lab expert Kostin Raiu writes that all three types of malware are really associated with well-known North Korean hack groups. According to him, the code of the published samples is similar to the malicious code Manuscrypt, which was discovered by Kaspersky Lab in 2017 and was used to attack cryptocurrency exchanges.

Recall also that recently a vulnerability with the potential of the worm was discovered in Windows in the same protocol that WannaCry used.