On May 12th, 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released detailed information about malware attributed to the government of North Korea. On June 23rd, researchers with Reversing Labs released updated information about additional malware samples they found that are closely related and also attributed to the North Korean Advanced Persistent Threat (APT) group known as Hidden Cobra or Lazarus. The new malware samples were identified using several different techniques. These included using Yara rules to find malware with the same pattern of bytes, comparing the list of imported functions (import hash), malware using the same resources or other sections of the executable file, malware with the same “compile” timestamp, patterns in the way the malware decrypted its list of imported functions, use of the same Command and Control (C2) server domain names, and malware having the same set of commands that it supports.
By using these techniques to discover other potential matches in a large collection of malware and analyzing the identified malware samples to confirm the similarities, Reversing Labs was able to identify many additional file hashes, domain names and IP addresses to use as Indicators of Compromise (IoCs) for detecting Hidden Cobra activity. A list of identified domain names is included below, and more details about analysis techniques used and other IoCs can be found at the Reversing Labs blog: https://blog.reversinglabs.com/blog/hidden-cobra