Threat Advisory: Six Malware Families Used by State-Sponsored Hacking Group

February 14, 2020

The US Cyber Command, the Department of Homeland Security, and the Federal Bureau of Investigations have released security advisories detailing six new malware families that are currently being used by hackers believed to be connected with the government-backed, North Korean hacking group known as Hidden Cobra or Lazars Group. There is also the seventh report of an updated version of the Hoplight trojan, also linked to the same group.

The scale of the current North Korean attacks against US targets is unknown, but considering three similar encounters from last year, it is believed that North Korean attacks are occurring in a constant wave.

Technical Details 

The six malware files have been named Hoplight, Buffetline, Artfulpie, Hotcroissant, Crowdedflounder, Slickshoes, and Bistromath.

The following is a quick description of each trojan: 

• BISTROMATH: described as a "full-featured RAT" 
• SLICKSHOES: described as a malware dropper (loader) 
• CROWDEDFLOUNDER: described as a "32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory." 
• HOTCROISSANT: described as a "full-featured beaconing implant" used for "conducting system surveys, file upload/download, process and command execution, and performing screen captures." 
• ARTFULPIE: described as "an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL." 
• BUFFETLINE: described as a "full-featured beaconing implant" that can "download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration." 
• HOPLIGHT: a proxy-based backdoor trojan the DHS and FBI first exposed in April 2019.  

The samples have also been added to US Cyber Command account on VirusTotal here.

Many of the malware files exhibit typical remote access trojan (RAT) features. Slickshoes, for example, which appears to be a dropper and a RAT, has many of the common features of a RAT, such as reverse shell, screen capture, file theft, and file creation. Hotcroissant, appears to have a compilation timestamp from July of last year. Artfulpie, which appears to be a downloader for another payload, was compiled in June. Buffetline appears to encrypt its traffic in a way that fakes TLS encryption, which could make nefarious activity blend into normal traffic. Buffetline is also capable of manipulating file timestamps so the hackers can, to some extent, obfuscate their activities to possible incident responders, according to the person familiar with the MAR.

Detection 

CISA provided a Malware Analysis Report (MAR) for each of the trojans. Please refer to the links below for the full report. IOCs of the samples and observed callback traffic were also provided. 

• https://www.us-cert.gov/ncas/analysis-reports/ar20-045a 
• https://www.us-cert.gov/ncas/analysis-reports/ar20-045b 
• https://www.us-cert.gov/ncas/analysis-reports/ar20-045c 
• https://www.us-cert.gov/ncas/analysis-reports/ar20-045d 
• https://www.us-cert.gov/ncas/analysis-reports/ar20-045e 
• https://www.us-cert.gov/ncas/analysis-reports/ar20-045f 
• https://www.us-cert.gov/ncas/analysis-reports/ar20-045g 

Mitigations 

Herjavec Group shares CISA recommendations on the following best practices to mitigate these vulnerabilities and strengthen your organization's security posture. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts: 

• Maintain up-to-date antivirus signatures and engines. 
• Keep operating system patches up-to-date. 
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication. 
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators' group unless required. 
• Enforce a strong password policy and implement regular password changes. 
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known. 
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests. 
• Disable unnecessary services on agency workstations and servers. 
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). 
• Monitor users' web browsing habits; restrict access to sites with unfavorable content. 
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.). 
• Scan all software downloaded from the Internet prior to executing. 
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). 

---

For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based on our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.