The U.S. Department of Homeland Security and the FBI issued a joint technical alert to warn about ongoing hacking efforts of HIDDEN COBRA.
HIDDEN COBRA is how the U.S. government refers to malicious cyber activity by the North Korean government.
The federal agencies say their analysis shows this is an ongoing campaign that apparently started in 2009 and continues to spread and get updates, "To target multiple victims globally and in the United States, including the media, aerospace, financial, and critical infrastructure sectors."
Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include:
Analysis of a newer variant of Brambul malware identified the following built-in functions for remote operations:
Read the complete Homeland Security HIDDEN COBRA technical alert, which includes mitigation and prevention tactics, for more information.