By Kevin Stear, Justin Lamarre, Ahmed Sonbol and Kent Backman
On November 14th 2017, the US-CERT released two Technical Alerts (TA17-318A and TA17-318B) on North Korean government cyber activity, aka HIDDEN COBRA, behind broad targeting of multiple sectors in Asia and the West. Both Symantec and Novetta have also previously documented prior campaigns by this nation-state actor, with follow-on analysis by Bluecoat and others.
FirstWatch assesses that HIDDEN COBRA high-level objectives include acquisition of hard currency, access into high value networks for later stage strategic effects, and collection of sensitive information (i.e., espionage). HIDDEN COBRA leverages compromised third party systems as operational relay and exploitation nodes, and delivers malware via drive-by download, spear phishing, watering hole and supply-chain attack methods.
Current campaigns by this Advanced Persistent Threat (APT) group have focused on delivery of the VOLGMER Backdoor, FALLCHILL Remote Access Trojan (a relative of DESTOVER), and most recently Android malware. As these malware are discussed in detail in previous US-CERT and Industry reporting, this blog will instead focus on detection of HIDDEN COBRA malcode in the NetWitness Suite.
It is important to note here that this HIDDEN COBRA malware does demonstrate a somewhat impressive level of technical sophistication. In addition to the use of DLLs for process injection, the malware has significant VM evasion and sleep/delay capabilities (Figure 1).
Figure 1. VOLGMER's long and random sleep routine
Despite some of this complexity the VOLGMER executable has a number of blank file property fields, which are often good indicators of maliciousness (Figure 2).
Perhaps the most easily recognizable sign of HIDDEN COBRA activity in network is the fake TLS handshake used for Command and Control (C2) in several strains of the APT group’s malware. This activity is detected in NetWitness Packets as an alert on “unknown service over SSL port” as demonstrated by traffic from a machine infected with FALLCHILL (Figure 3).
Figure 3. Non-SSL C2 traffic of FALLCHILL malware flagged by NetWitness
NetWitness Endpoint also detects FALLCHILL by noting the malware’s unsigned process and network activity (Figure 4), which correlates to the traffic observed in NetWitness Packets in Figure 1.
Figure 4. HIDDEN COBRA FALLCHILL malware as observed in NetWitness Endpoint
For activity associated with the VOLGMER Backdoor, the NetWitness Suite also provides several means of detection. The most consistent artifact in samples identified thus far is the “Mozillar” browser compatibility identifier name (it should be Mozilla) within user agent (UA) strings seen in the initial C2 check-in/beacon (Figure 5).
Figure 5. Telltale "Mozillar" User Agent identifier in VOLGMER beacon
VOLGMER also employs a number of seemingly random UA strings for this C2 function. While it is unclear the purpose of these variances, we observed six completely different UA strings and varying HTTP headers over a few seconds from a single infected machine (Figure 6).
Figure 6. VOLGMER's jumbled HTTP connections upon initial C2 check-in
Examination of the codebase indicates that nine different UA strings may be used for the C2 check-in (Figure 7).
Figure 7. Various User Agent strings employed for VOLGMER C2 beacon as seen in malware code
Advanced features in the NetWitness Packet’s HTTP_Lua parser provide additional indications for this VOLGMER activity with meta tagging in the service.analysis field for “not good Mozilla” and “http 1.0 unsupported connection header”. These tags should be signs to the security analyst that something is not right and worthy of immediate investigation (Figure 8).
Figure 8. Suspicious HTTP artifacts flagged by the HTTP_Lua parser in NetWitness
NetWitness Endpoint also provides indications of VOLGMER infections by flagging the process responsible for the malware’s C2 behavior that uses contrived host headers with random domains (Figure 9). This is well described in the Volgmer analysis report (MAR) from the US-CERT.
Figure 9. VOLGMER C2 check-in with unusual crafted HTTP artifacts and domains
HIDDEN COBRA has historically been often dismissed as a top tier threat group; however recent activity demonstrates the APT group’s ability to compromise a broad assortment of direct and indirect targets using above-average (and improving) malware development and deployment capabilities.
While it is likely that HIDDEN COBRA will continue to harvest new infrastructure for use in ongoing campaigns, all existing Indicators of Compromise (IOCs) from US-CERT reporting as well as IOCs related to the group’s Android malware targeting Samsung users (reporting by McAfee and Palo Alto Unit 42) have been incorporated into RSA FirstWatch’s Third Party domain and IP address feeds since November 15th.
IOCs are increasingly perishable (especially from advanced actors) and limited in their effectiveness, and analysts should also leverage NetWitness and the techniques described in this post to identify any HIDDEN COBRA-initiated malware and related infrastructure that has yet to be identified.