The U.S. Department of Homeland Security, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the FBI recently exposed a new hacking activity that is apparently originated from North Korea. According to the Cyber National Mission Force (CNMF), state-sponsored hackers from North Korea distributed six different malware variants through a phishing campaign. It’s said that the malware provided the attackers with remote access to infected systems to steal funds which are later transferred to North Korea.
Six Malwares used in the Hacking Activity
The CNMF published the details on the six new malware samples which are under the federal authority’s radar.
- BISTROMATH – detailed as a full-featured RAT
- SLICKSHOES – described as a malware dropper (loader)
- CROWDEDFLOUNDER – detailed as a 32-bit Windows executable, which is designed to unpack and execute a RAT binary in memory
- HOTCROISSANT – a full-featured beaconing implant used for performing system surveys, file upload/download, process and command execution, and performing screen captures
- ARTFULPIE – described as an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL
- BUFFETLINE – described as a full-featured beaconing implant, which downloads, uploads, deletes, and executes files
North Korea was accused multiple times earlier for stealing valuable information and cryptocurrencies. Through the years, North Korea has been linked to a series of cyberattacks, either to display its cyber prowess or just to fund their activities.
CISA Relates Malware to Lazarus Group
CISA related the malware activity to a North Korean government-backed hacking group tracked as “Hidden Cobra”, which is a part of the notorious threat actor unit “Lazarus Group”. The Lazarus Group was involved in various cyberattacks that were reported earlier. Recently, security pros from K7 Labs discovered that hackers of Lazarus Group distributed malware that targeted MacOS users to create fake cryptocurrency trading applications.