The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have released a joint security alert detailing three new malware variants used by a state-sponsored North Korean hacker group tracked as HIDDEN COBRA.
Dubbed COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, the malware strains are Remote Access Tools (RATs) capable of remote reconnaissance and exfiltration of sensitive information from target systems.
The first of the new malware variants, COPPERHEDGE (Manuscrypt), is described as a full-featured RAT capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data.
TAINTEDSCRIBE is a malware that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft’s Narrator. It downloads its command execution module from a command and control (C2) server and can download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
PEBBLEDASH is yet another trojan that acts as a full-featured beaconing implant. Like the TAINTEDSCRIBE trojan, it is able to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
U.S. Cyber Command has also uploaded five samples of the newly discovered malware variants attributed to DPRK onto the VirusTotal malware aggregation repository.
Earlier this week U.S. security agencies have released a report describing the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors between 2016 and 2019.