Saturday, February 15, 2025
HomeComputer SecurityFBI Uncovered North Korean Malware Attack KEYMARBLE on U.S Government Entities to...

FBI Uncovered North Korean Malware Attack KEYMARBLE on U.S Government Entities to Stealing Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

DHS and FBI identified North Korean malware KEYMARBLE that related to HIDDEN COBRA  to attack U.S government entities to capture screenshots, stealing sensitive data, modifying the system files etc.

This sophisticated malware variant used by the North Korean government to perform cyberattack that targets various organization and Governments.

It works under one of the most dangerous cyber espionage group called HIDDEN COBRA which already involved various cyber-attack around the world.

DHS & FBI has been issued a warning about this cyber attack across the US including the government IT infrastructure.

KEYMARBLE also work’s as a Remote Access Trojan (RAT) to perform various malicious activities such as accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screenshots, and exfiltrating data.

HIDDEN COBRA uses various IP address to maintain a presence on victims machine and performing a powerful exploitation on the victim’s network.

How does it Malware Works

Initially, it distributing via malicious 32-bit Windows executable file that acts as RAT to infiltrate the network and access the target network.

Once KEYMARBLE executed, it de-obfuscates its application programming interfaces using port 443 which attempt to connect hardcoded C&C server IP addresses to receive further instruction from the attacker.

During the Command & Control server communication RAT using XOR cryptographic algorithm to ensure the secure communication to receive the instructions.

crypto algorithms the malware used to secure its data transfer

Once its receive the further instruction from the attackers via C&C server, it performing following operation in the compromised victims system.

  • Download and upload files
  • Execute secondary payloads
  • Execute shell commands
  • Terminate running processes
  • Delete files
  • Search files
  • Set file attributes
  • Create registry entries for storing data:(HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath)
  • Collect device information from installed storage devices (disk free space and their type)
  • List running processes information
  • Capture screenshots
  • Collect and send information about the victim’s system (operating system, CPU, MAC address, computer name, language settings, list of disk devices and their type, time elapsed since the system was started, and unique identifier of the victim’s system)

According to US-CERT This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques.

“Users or administrators should flag activity associated with the malware, report the activity to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.”

Mitigations

  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate ACLs.
  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrator’s group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...