On May 12th, 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released detailed information about malware attributed to the government of North Korea. On June 23rd, researchers with Reversing Labs released updated information about additional malware samples they found that are closely related and also attributed to the North Korean Advanced Persistent Threat (APT) group known as Hidden Cobra or Lazarus. The new malware samples were identified using several different techniques. These included using Yara rules to find malware with the same pattern of bytes, comparing the list of imported functions (import hash), malware using the same resources or other sections of the executable file, malware with the same “compile” timestamp, patterns in the way the malware decrypted its list of imported functions, use of the same Command and Control (C2) server domain names, and malware having the same set of commands that it supports.
By using these techniques to discover other potential matches in a large collection of malware and analyzing the identified malware samples to confirm the similarities, Reversing Labs was able to identify many additional file hashes, domain names and IP addresses to use as Indicators of Compromise (IoCs) for detecting Hidden Cobra activity. A list of identified domain names is included below, and more details about analysis techniques used and other IoCs can be found at the Reversing Labs blog: https://blog.reversinglabs.com/blog/hidden-cobra
Analyst Notes
Using publicly released information about malware samples to perform research to find additional malware of the same type or family is a very effective technique to discover more domain names and IP addresses of C2 servers. Binary Defense often analyzes malware samples discovered in the wild or shared by other researchers to develop Yara rules and other research techniques to find additional samples. While searching for specific IoC values is one part of defense, it is ineffective when attackers set up a unique infrastructure for each targeted victim. It is more effective to focus on analysis of attacker techniques that are not dependent on specific domain names, IP addresses and file hashes. Detecting threats based on a broad range of attacker techniques has the potential to discover new malware and other threat activity beyond the narrow set of specific malware that was analyzed.
Indicators of Compromise:
avsolution[.]co[.]kr
billing[.]malgum[.]com
bremaicemakers[.]co[.]kr
1688dsj[.]com
ccsnbao[.]com
fmose[.]com
vns1389[.]com
www[.]happyhomehk[.]com
www[.]mnmsrus[.]com
ando[.]co[.]kr
ansetech[.]co[.]kr
mileage[.]krb[.]co[.]kr
wpm[.]coastal[.]com[.]cn
www[.]abex[.]co[.]kr
www[.]sztqwy[.]com
www[.]10vs[.]net
www[.]168va[.]com
www[.]1996hengyou[.]com
www[.]paulkaren[.]com
www[.]51up[.]com
www[.]shieldonline[.]co[.]za
www[.]0756rz[.]com
www[.]51xz8[.]com
www[.]hypnosmd[.]com
www[.]juliesoskin[.]com
www[.]necaled[.]com
www[.]valentinsblog[.]de
www[.]adhyatmikpunarjagran[.]org
www[.]payngrab[.]com
www[.]weeklyexperts[.]com
store[.]lifemesh[.]ai
www[.]encresquadra[.]com
www[.]my-banner[.]de
amytanathorn[.]com
lavaandstone[.]com
sales[.]alitho[.]com
fudcitydelivers[.]com
sctemarkets[.]com
