forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhidden_cobra_malware.yml
47 lines (44 loc) · 2.73 KB
/
hidden_cobra_malware.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
name: Hidden Cobra Malware
id: baf7580b-d4b4-4774-8173-7d198e9da335
version: 2
date: '2020-01-22'
author: Rico Valdez, Splunk
description: Monitor for and investigate activities, including the creation or deletion
of hidden shares and file writes, that may be evidence of infiltration by North
Korean government-sponsored cybercriminals. Details of this activity were reported
in DHS Report TA-18-149A.
narrative: 'North Korea''s government-sponsored "cyber army" has been slowly building
momentum and gaining sophistication over the last 15 years or so. As a result, the
group''s activity, which the US government refers to as "Hidden Cobra," has surreptitiously
crept onto the collective radar as a preeminent global threat.
These state-sponsored actors are thought to be responsible for everything from a
hack on a South Korean nuclear plant to an attack on Sony in anticipation of its
release of the movie "The Interview" at the end of 2014. They''re also notorious
for cyberespionage. In recent years, the group seems to be focused on financial
crimes, such as cryptojacking.
In June of 2018, The Department of Homeland Security, together with the FBI and
other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the
public about two variants of North Korean malware. One variant, dubbed "Joanap,"
is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate
data, download and execute secondary payloads, and initialize proxy communications.
The other variant, "Brambul," is a Windows32 SMB worm that is dropped into a victim
network. When executed, the malware attempts to spread laterally within a victim''s
local subnet, connecting via the SMB protocol and initiating brute-force password
attacks. It reports details to the Hidden Cobra actors via email, so they can use
the information for secondary remote operations.
Among other searches in this Analytic Story is a detection search that looks for
the creation or deletion of hidden shares, such as, "adnim$," which the Hidden Cobra
malware creates on the target system. Another looks for the creation of three malicious
files associated with the malware. You can also use a search in this story to investigate
activity that indicates that malware is sending email back to the attackers.'
references:
- https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
- https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
tags:
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection