| Home - Current Activities||
Increased HIDDEN COBRA activity
Original Issue Date:May 30, 2018
US CERT has shared reports about the ongoing malware activity of the alleged North Korean based threat group called HiddenCobra /lazarus.
In its latest alert, US CERT unearthed a remote access [RAT] and Server Message Block (SMB) worm named "Joanap" and Brambul
respectively. The RAT reaches the system as a file dropped from HIDDEN cobra controlled compromised sites or via email attachments. The
diligent RAT enables the malware actor to perform data exfiltration, download additional malware and initialize proxy communications on a
compromised Windows device.
On the other hand, The SMB worm "Brambul" attempts to contact all of the Internet Protocol (IP) addresses on the victim's local
subnet. If the malware is able to connect to these IP addresses, it will attempt to gain unauthorized access via the SMB protocol on port
445 using a brute-force password attack. The malware contains an embedded password list consisting of commonly used passwords and
generates random external IP addresses, which it attempts to attack. If the malware successfully gains access to another system, it will
send an email containing the system's IP address, hostname, username, and password, RDP details predefined mail addresses.
[File system changes]
%WINDIR%\system32/mssscardprv.ax [the file stores victim's Internet Protocol (IP) address, host name, and current system time]
A detailed list of IOC[ identified C2 servers] is listed
- Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys
Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which
most of the ransomware samples successfully reaches the corporate email boxes.
- Disable Microsoft's File and Printer Sharing service, if not required by the organization. If this service is required, use strong
passwords or Active Directory authentication.
- Restrict user's abilities (permissions) to install and run unwanted software applications, and apply the principle of least privilege
to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the
- Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained
in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's
website directly through browser
- Restrict execution of powershell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0)
of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized
log repository for monitoring and analysis.
- Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%,
%PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on
all endpoint workstations.
- Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block
these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with
a reputable antivirus solution.
- Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an
organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific
settings can block macros originating from the Internet from running.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs
to read specific files, they should not have write access to those files, directories, or shares.
- Maintain updated Antivirus software on all systems
- Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
- Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate
administrative network from business processes with physical controls and Virtual Local Area Networks.
- Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts on Failed
logon attempts,File share access, and, Interactive logons via a remote session
- Disable RDP if not required. Consider using a Virtual Private Network (VPN) for external connections with authentication. Enable Use
two-factor authentication (2FA)
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003