Alleged North Korean Campaign HIDDEN COBRA Targets Critical Industries

A pair of Joint Technical Alerts (TA17-318A and TA17-318B) from the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have revealed more details on cyberattacks, allegedly coming from North Korea. The attacks are part of a collective campaign called “HIDDEN COBRA”, which targets critical industries both in the US and globally. The campaign is centered on two malware: a Remote Administration Tool called FALLCHILL (detected by Trend Micro as BKDR_DESTOVER.ADU and BKDR64_NUKESPED.A), as well as a backdoor Trojan named Volgmer (BKDR_VOLGMER family).

According to the report, the actors behind HIDDEN COBRA have likely been using FALLCHILL since 2016, primarily targeting crucial industries such as aerospace, telecommunications, and finance. The malware is dropped, either by other malware that are also part of the campaign or through compromised websites set up by the threat actors. Once FALLCHILL infects a target system, the threat actors can issue remote commands from a C&C server using dual proxies.  Due to FALLCHILL’s presence as a malware-as-a-service, it is likely that other malicious software from the HIDDEN COBRA campaign is also present in the target system.

The second malware highlighted in the report is the Volgmer trojan, which is designed to provide covert backdoor access to the compromised system. Volgmer was reportedly spotted as far back as 2013, mainly targeting the government, as well as the financial, automotive, and media industries. Spear phishing seems to be the primary infection vector of Volgmer, most likely via attachments from malicious emails. Volgmer shows a wide array of capabilities, which include system information gathering, downloading and uploading files, executing commands, terminating processes, as well as directory listing. One of the samples analyzed also showcased botnet controller functionality.

While the attribution of these attacks can be a tricky issue, as seen in the OnionDog campaign which proved to be a cyber drill rather than a malicious act, the reality of campaigns targeting major industries are not. Given that they can hit a large number of organizations at once, the US-CERT notice provides recommendations for mitigating the impact of these kinds of malware, which include:

  • Applying application whitelisting to minimize the entry of malicious software and unapproved programs into the system.
  • Regularly patching and updating system software to prevent vulnerabilities from being exploited.
  • Following best practices for countering email threats, such as disabling email macros.

In addition, the use of comprehensive security software designed to cover both users and businesses can minimize the impact of threats such as FALLCHILL and Volgmer.

Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware. 

Trend Micro™ TippingPoint™ customers are protected from the aforementioned threats via these MainlineDV filters:

  • 29662: TCP: FallChill Variant A - Fake TLS Client Hello Message
  • 23867: HTTP: Trojan.Win32/Volgmer.A Checkin
  • 30028: TCP: Volgmer Authentication Request

Deep Discovery Inspector protects customers via this DDI rule:

  • DDI Beta Rule ID 3768:VOLGMER – HTTP(Request)
Updated as of November 20, 2017, 7PM PDT to include Trend Micro's detections for the malware as well as TippingPoint™ and Deep Discovery Inspector solutions.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.