The US agencies released these MARs in order to provide organizations with detailed malware analysis information which was acquired by manually reverse engineering malware samples. At the same time, the reports were also issued to help network defenders detect and reduce exposure to malicious activity by the North Korean government which the US government refers to as HIDDEN COBRA.
“Each MAR includes malware descriptions, suggested response actions, and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.”
North Korean malware
In addition to releasing new MARs, US Cyber Command also uploaded malware samples to VirusTotal and in a tweet, said: “this malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions”.
The reports released by CISA provide detailed analysis of six new malware samples that are currently being tracked by US authorities under the names Bistromath, Slickshoes, Crowdedflounder, Hotcroissant, Artfulpie and Buffetline.
While some of these are Remote Access Trojans (RAT) and malware droppers, others are described as full-featured beaconing implants used to download, upload, delete and execute files.
CISA and other US government agencies attribute the malware to a North Korean government backed hacking group known as HIDDEN COBRA but the group is also known as the Lazarus Group and it is North Korea’s largest and most active hacking division.