The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
US cyber security federal and military community exposes the new North Korea’s malware: COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH
COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH: those are three malware variants, used by the North Korean state sponsored hackers. It has been discovered by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). The threat actor (HIDDEN COBRA) exploited the new malware “for phishing and remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions”, according US Cyber Command (CYBERCOM) that has also uploaded five samples of the newly discovered malicious code variants onto the VirusTotal malware aggregation repository. Just last month, as Bleeping Computer reports, U.S. government issued guidance on Pyongyang hacking activity and offered a reward of up to $5 million for any information on DPRK hackers’ cyber activity. Including past or ongoing operations if it leads to the identification or location of North Korean actors or to the disruption of DPRK-related illegal activities.
The first one is a RAT and the others two trojans. Last February six other HIDDEN COBRA’s malicious codes were discovered
According to the cyber security experts, COPPERHEDGE (Manuscrypt family) is a Remote Access Tool (RAT) used by the ATP to target cryptocurrency exchanges and related entities. It can run arbitrary commands, perform system reconnaissance, and exfiltrate data. Six distinct variants have been identified based on network and code features. TAINTEDSCRIBE and PEBBLEDASH are two trojans. Both are used by North Korean state sponsored hackers as a full-featured beaconing implant (the first one designed to disguise as Microsoft’s Narrator). They can download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes, and perform target system enumeration. Last February, US government issued reports on other six HIDDEN COBRA malware: BISTROMATH (full-featured RAT), SLICKSHOES (Themida-packed dropper), CROWDEDFLOUNDER (Remote Access Trojan loader), HOTCROISSANT (beaconing implant with backdoor capabilities), ARTFULPIE (malware that loads and executes a DLL from a hardcoded URL), and BUFFETLINE (beaconing implant with backdoor features).