Threat Watch

US Cyber Command Releases Information About DPRK Malware

The United States Cyber Command publicly released information about five malware samples, allegedly used by the government of the Democratic People’s Republic of Korea (DPRK) for phishing and remote access. The five samples represented three different malware variants, known as COPPERHEDGE, TAINTEDSCRIBE and PEBBLEDASH. Copies of the malware were uploaded to VirusTotal, to facilitate access for researchers and security product vendors.

ANALYST NOTES

At the time of submission on May 12th, several of the malware samples were not detected as malicious by most of the anti-virus products that Virus Total uses to check submissions. Targeted attacks from well-funded threat groups are able to create and maintain malware that is not recognized by anti-virus products. It is important to practice defense-in-depth to protect critical computer systems from intrusion by monitoring for attacker behaviors and quickly responding to investigate unusual activity on workstations and servers.

Indications of compromise:
SHA-256 hashes of malware samples:
134b082b418129ffa390fbee1568bd9510c54bfdd0e6b1f36bc7b8f867e56283
1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11
aab2868a6ebc6bdee5bd12104191db9fc1950b30bcf96eab99801624651e77b6
19f9a9f7a0c3e6ca72ea88c655b6500f7da203d46f38076e6e8de0d644a86e35
2057c0cf4617eab7c91b99975dfb1e259609c4fa512e9e08a311a9a2eb65a6cf

Network traffic:
112.217.108.138:443

To read more, please see:
https://www.us-cert.gov/ncas/current-activity/2020/05/12/north-korean-malicious-cyber-activity