Hidden Cobra and DeltaCharlie
The United States Computer Emergencies Readiness Team (US-CERT) released a Technical Alert (TA) to warn organizations of North Koreas “Hidden Cobra” activities, particularly a DDoS botnet network. The technical alert was based from the analytic efforts of the FBI and DHS.
The tools used by Hidden Cobra include DDoS botnets, keyloggers, remote access tools and wiper malware. The systems that are usually the target of the group are outdated systems or systems that are running an older, unsupported version of the Microsoft operating system.
The vulnerabilities that are mainly used by Hidden Cobra include:
• CVE-2015-6585: Hangul Word Processor Vulnerability
• CVE-2015-8651: Adobe Flash Player 188.8.131.524 and 19.x Vulnerability
• CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
• CVE-2016-1019: Adobe Flash Player 184.108.40.206 Vulnerability
• CVE-2016-4117: Adobe Flash Player 220.127.116.11 Vulnerability
It is recommended that these applications should be up-to-date.
A botnet infrastructure and a DDoS tool used by Hidden Cobra. It was first discovered by Novetta in 2016 in their Operation Blockbuster Malware Report. It is capable of releasing DNS attacks, NTP (Network Time Protocol) attacks and Character Generation Protocol attacks. It acts as svchost-based service on the victims’ machine and can download executables, updating its own binaries, terminating its own processes and activating and terminating DoS attacks. More details on the malware can be found here.
The technical alert recommends that if these tools are detected, it is best to report it to DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch) and will be given highest priority for mitigation.