Group Behind WannaCry Now Using New MalwareCISA Warns That Lazarus Group Has Added 3 New Tools
A sophisticated hacking group associated with the North Korean government that’s been tied to a number of high-profile attacks, including WannaCry, is using three new malware variants, according to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
These variants, which include two Trojans and a remote access tool, are being used by the hacking group that CISA calls Hidden Cobra, although others refer to it as the Lazarus Group. This group is suspected of carrying out a series of high-profile attacks, including the Sony Pictures hack of 2014 as well as the Wannacry ransomware attacks of 2017.
The alert comes during the week of the three-year anniversary of the WannaCry attacks.
Since that attack, CISA, DHS and the FBI have regularly issued warnings about North Korea-sponsored hackers and have published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime. In April, the U.S. government announced a $5 million reward for information about suspected North Korean-sponsored attacks (see: US Offers $5 Million Reward for N. Korea Hacker Information).
3 Malware Variants
Tuesday's CISA alert offers details on the three new malware variants link to Hidden Cobra:
- CopperHedge: This remote access Trojan, or RAT, has capabilities that include executing arbitrary commands, performing system reconnaissance and exfiltrating data. CISA researchers have found six versions of this RAT.
- TaintedScribe: This Trojan uses fake Transport Layer Security protocols for session authentication as well the Linear Feedback Shift Register algorithm for encryption. The main executable of this Trojan disguises itself as Microsoft’s Narrator - a screen-reading app built into Windows 10. The Trojan can connect with a command-and-control server and has the capability to download, upload, delete and execute files; enable Windows Command Line access; create and terminate processes; and perform target system enumeration.
- PebbleDash: This malware acts a remote access tool and allows the attacker to maintain a presence on the targeted network. As with TaintedScribe, it uses fake TLS protocols to authenticate and can encrypt its activities to hide from security tools. It also has the capability to download, upload, delete and execute files in an infected device.
Links to Previous Campaigns
Costin Raiu, director of Kaspersky’s global research and analysis team, notes that there are similarities between Manuscrypt, a malware family previous associated with North Korean-sponsored hackers that Kaspersky discovered in 2017, and the three malware variants that CISA described Tuesday.
"The samples are new variants of known malware used by the Lazarus advanced persistent threat group," Raiu tells Information Security Media Group. "We haven't seen these specific variants in the wild, but we've seen many others. As samples are usually customized for specific attacks, it is normal to have multiple variants of the same malware being used."
In addition to similarities in the source code and the command-and-control infrastructure used, Raiu notes that the three malware variants that CISA describes and the Manuscrypt malware perform many of the same functions. These include allowing attackers to maintain persistent access to the victims' networks, gathering more information about the victim's device and deploying other tools for additional network access.
Managing Editor Scott Ferguson contributed to this report.