Taming the Hidden Cobra: The DPRK’s malware brigade

What is Hidden Cobra?

While it may sound like the final technique learned from Jackie Chan in a young adult movie, Hidden Cobra is actually the moniker given to state-sponsored actors executing cyber crime activities on behalf of the North Korean government. Before federal agencies reported on the activities of DPRK’s Hidden Cobra, the group was dubbed by the private sector as Lazarus Group or Guardians of Peace. Hidden Cobra is an extension of the North Korean government and targets both public and private entities with malware, data wipers, DDoS, and SMB worm tools. Known variants of Destover, Duuzer , and Hangman exploits are common modus operandi for Hidden Cobra. In addition, Hidden Cobra is notorious for their use of powerful DDoS attacks with their denial-of-service tool, DeltaCharlie.

Flushing Out the Snake

Hidden Cobra tends to target systems that run older, unpatched operating systems. The lack of firmware updates and plethora of attack surfaces found in obsolete Microsoft operating systems makes for low-hanging fruit the serpents are able to reach. A Technical Alert issued by the Department of Homeland Security and Federal Bureau of Investigation includes a database of recognized IP addresses and network signatures that they consider Indicators of Compromise (IOCs).

Indicators of Compromise

[Clicking will begin a .csv download]

In addition to these IOC’s, DHS has published a Malware Analysis Report detailing the unique functionalities and common tactics demonstrated by Hidden Cobra actors.

MAR 10132963

[Clicking will open a .pdf]

Known Vulnerabilities

Like real snakes, we have accumulated antidotes for a majority of the Hidden Cobra’s venoms. The following Common Vulnerabilities and Exposures (CVEs) are typical susceptibilities targeted by Hidden Cobra:

If Adobe Flash and Microsoft Silverlight are no longer necessary applications in your system, we highly recommend removing these programs completely.

Delta Charlie

Perhaps the most perilous tool operated by Hidden Cobra is their DDOS tool, DeltaCharlie. Sporting a standard botnet infrastructure, DeltaCharlie is used to launch DNS attacks, NTP attacks, and CGN attacks. DeltaCharlie disguises itself as a svchost service. The tool can download and operate macros, alter its own structure, and perform denial-of-service attacks on command.

If You’ve Been Targeted

Report the attack to DHS or FBI – Federal agencies are very interested in keeping tabs on the activity of North Korea’s state-sponsored cyber warfare adjuncts. You can report malware to the DHS here. They will certainly appreciate the information.
Review visitor logs for IOCs – If you suspect Hidden Cobra is responsible for a raid on your network, cross-check records from your perimeter defenses against those IP addresses outlined in the Indicators of Compromise spreadsheet provided above.
Run YARA – For readers unfamiliar with YARA, it is a tool developed by malware researchers to detect attack signatures. The Technical Alert issued by DHS and FBI include a variety of YARA rule definitions that can quickly and effectively track down signs of Hidden Cobra malware.

Preventing Hidden Cobra Attacks

Limit admin privilegesWe’ve talked about this one before. When an attacker gets into your system, you don’t want everyone inside carrying around skeleton keys.
Update your firmware – Hm. This one sounds familiar too. The straight-forward warning: the older your operating system, applications, or security patches, the more likely you are to be on the receiving end of cyber crime. This is as self-explanatory as comparing a modern digital security system to a string of rattling cans strung across the lawn.
Go invite-only for your applications– The practice of whitelisting applications drastically cuts down potential attack surfaces in your network. In short, whitelisting is allowing only prescreened applications access to your system. If it’s not on the list, it stays outside.
Leverage your firewall – Firewalls provide gateway security, content filtering, IP whitelisting, application controls, user groups, and more. There are a vast number of security options available to organizations to protect their data against the likes of Hidden Cobra, but most of them require a firewall appliance to operate. Think of your firewall as the command center of your security infrastructure. Next-generation firewalls are platforms designed to provide all of the security resources you need in one powerful appliance, known as Unified Threat Management.

Learn about UTMs offered by our manufacturer partners!