Analysis of three Hidden Cobra malware variants issued by CISA

News by Doug Olenick

Copperhedge, Taintedscribe and Pebbledash malware are the subject of recent analysis with all three believed to be operated by the North Korean operated Hidden Cobra APT group.

Copperhedge, Taintedscribe and Pebbledash malware are the subject of recent analysis with all three  believed to be operated by the North Korean operated Hidden Cobra APT group. All act as persistent agents with malicious goals that include stealing cryptocurrency and data exfiltration.

The analysis was conducted in the US by  by CISA (The Cybersecurity and Infrastructure Security Agency, the Department of Defence and the FBI.

The remote access tool (RAT) Copperhedge uses the Manuscript family of malware, which is a full-featured RAT, to target cryptocurrency exchanges and related entities.

Manuscrypt is capable of running arbitrary commands, performing system reconnaissance and remove data. The US has described six distinct variants based on network and code features. The different models are categorized based on common code and a common class structure. A symbol remains in some of the implants identifying a class name of “WinHTTP_Protocol” and later “WebPacket”, the report said.

CISA has listed the IOCs for Copperhedge here.

Taintedscribe is a full-featured beaconing implant that uses FakeTLS for session authentication and a Linear Feedback Shift Register (LFSR) algorithm for network encryption. The primary malware camoflauges itself as Microsoft Narrator and works in conjunction with a command and control server. Once operating Taintedscribe has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.

Its IOCs can be found here.

The trojan Pebbledash is another a full-featured beaconing implant that conducts the same type of data exfiltration as Taintedscribe. The primary difference between the two is Pebbledash uses RC4 for network encoding.

Its IOCs can be found here.

MARs are released by US government agencies on a regular basis in an attempt to keep enable network defence and reduce exposure to North Korean government malicious cyber activity. Each MAR includes malware descriptions, suggested response actions, and recommended mitigation techniques and CISA is asking any organisation that is victimised by any of these malware types to notify it as soon as possible.

First published in SC US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews