DHS and FBI identified North Korean malware KEYMARBLE that related to HIDDEN COBRA to attack U.S government entities to capture screenshots, stealing sensitive data, modifying the system files etc.
This sophisticated malware variant used by the North Korean government to perform cyberattack that targets various organization and Governments.
It works under one of the most dangerous cyber espionage group called HIDDEN COBRA which already involved various cyber-attack around the world.
DHS & FBI has been issued a warning about this cyber attack across the US including the government IT infrastructure.
KEYMARBLE also work’s as a Remote Access Trojan (RAT) to perform various malicious activities such as accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screenshots, and exfiltrating data.
HIDDEN COBRA uses various IP address to maintain a presence on victims machine and performing a powerful exploitation on the victim’s network.
Initially, it distributing via malicious 32-bit Windows executable file that acts as RAT to infiltrate the network and access the target network.
Once KEYMARBLE executed, it de-obfuscates its application programming interfaces using port 443 which attempt to connect hardcoded C&C server IP addresses to receive further instruction from the attacker.
During the Command & Control server communication RAT using XOR cryptographic algorithm to ensure the secure communication to receive the instructions.
Once its receive the further instruction from the attackers via C&C server, it performing following operation in the compromised victims system.
- Download and upload files
- Execute secondary payloads
- Execute shell commands
- Terminate running processes
- Delete files
- Search files
- Set file attributes
- Create registry entries for storing data:(HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath)
- Collect device information from installed storage devices (disk free space and their type)
- List running processes information
- Capture screenshots
- Collect and send information about the victim’s system (operating system, CPU, MAC address, computer name, language settings, list of disk devices and their type, time elapsed since the system was started, and unique identifier of the victim’s system)
According to US-CERT This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques.
“Users or administrators should flag activity associated with the malware, report the activity to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.”
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…