North Korea’s Hidden Cobra Attack Campaign

North Korea’s Hidden Cobra Attack Campaign

junho 23, 2017 | Devika Jain


Hidden Cobra has recently been the term given to North Korea’s DDoS botnet attack infrastructure primarily orchestrated by the infamous Lazarus Group and Guardians of Peace. The term is coined by the collaborative efforts conducted on behalf of the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).  Alert (TA17-164A) has been issued by US-Cert (Computer Emergency Response Team) and outlines in detail the attack campaigns, attack vectors, and tools funded by the North Korean government.

The campaign attempts to disrupt industries associated with finance, media, industrial complexes, and aerospace. Hidden Cobra operations have been in circulation since 2009 and utilize a specially crafted malware tool referred to as DeltaCharlie to manage and orchestrate the Hidden Cobra Distributed Denial of Service (DDoS) attacks. The following information will illustrate a few of the malware variants that support illegal operations associated with DDoS, keylogging, botnet armies, data/memory wipers, and remote access tools (RAT).

Additionally, Hidden Cobra capitalizes on un-patched applications mainly targeting vulnerabilities associated with Windows and Adobe products. The information supplied details a few of the specifics pertaining to previous attack campaigns, network signature protection code, past application exploits & patches, and malware families conducted on behalf of the Lazarus group.

  • Previous Attack Campaigns
  • Breach of Sony Pictures Entertainment (2014)
  • Operation Dark Seoul (2013)
  • Operation 1Mission (2012)
  • 10 Days of Rain (2011)
  • Operation Troy (2009-2012)
  • Operation Flame (2007-2009)
  • Operation Whiskey AlfaI
Courtesy: IBM X-Force Exchange

Previous Deployed Malware

A brief list of successful malware exploits is provided below and sources have determined that there are approximately forty-five modifications to the malware types supplied. This list is not exhaustive and a significant number of variants that are in the wild are similar in nature and perform nefarious operations such as obfuscation techniques, shared encryption keys, and slightly modified but identical source code structuring.

The following malware supports operations such as Remote Access Tools (RAT), memory & hard-disk wipers, key loggers, and DDOS Command & Control botnet attacks.

  • MyDoom
  • DozerCastov
  • Jokra
  • DeltaAlfa / DDoS-KSig / Fibedol / Koredos
  • DeltaBravo
  • DeltaCharlie
  • HotelAlfa / Destover / NukeSped
  • IndiaAlfa / Escad / Destover Message Thread / Mdrop
  • IndiaBravo / Escad / Destover Message Thread
Courtesy: IBM X-Force Exchange

Exploited Vulnerabilities

The Hidden Cobra attack campaign conducted on behalf of North Korea’s Lazarus Group make use of the vulnerabilities identified in Adobe Flash, Microsoft Silverlight, and Hangul Word Processor.  It is highly recommended that users and IT Departments install the latest patches provided by the application vendors.

  • CVE-2015-6585: Hangul Word Processor Vulnerability
  • CVE-2015-8651: Adobe Flash Player and 19.x Vulnerability
  • CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
  • CVE-2016-1019: Adobe Flash Player Vulnerability
  • CVE-2016-4117: Adobe Flash Player Vulnerability

Network Signatures

The listed network signatures should be used in conjunction with a company’s primary security appliances such as Host Based Intrusion Detection (HID) and Network Intrusion Detection (NID) systems. Moreover, it is important to note that signatures should not be the primary means and first line of defense in a company’s security posture. False positives remain rampant and proper identification, elimination, and remediation of known exploits may only be combated through security in-depth and in-breadth practices.

  • alert tcp any any -> any any (msg:”DPRK_HIDDEN_COBRA_DDoS_HANDSHAKE_SUCCESS”; dsize:6; flow:established,to_server; content:”|18 17 e9 e9 e9 e9|”; fast_pattern:only; sid:1; rev:1;)
  • alert tcp any any -> any any (msg:”DPRK_HIDDEN_COBRA_Botnet_C2_Host_Beacon”; flow:established,to_server; content:”|1b 17 e9 e9 e9 e9|”; depth:6; fast_pattern; sid:1; rev:1;)
Courtesy: IBM X-Force Exchange

Key Takeaways

The highly-funded Lazarus Group associated with North Korea continues be a significant concern on a global scale. Major cyber security attacks to include the Sony Breach of 2014 and now the epic Hidden Cobra campaign have validated that the state sponsored Lazarus group is a force to be reckoned with.

Attacks will continue to rise on behalf of North Korea and it will be imperative that any country outside of North Korea understands the consequences of these attacks on their infrastructure. Ensuring and enforcing the needed security protocols required for defense in-depth and in-breadth will be of the upmost importance for proper protection and awareness.