enSilo Blocks Hidden Cobras Latest Attack Tool
Hidden Cobra’s latest attack tool
Hidden Cobra is a well-known hackers group that has been active since 2009. The group (also known as “Lazarus Group” and “Dark Seoul”) has many cyber-attacks attributed to its name according to experienced security and threat researchers.
Around the end of May 2018, a new piece of malware believed to be created by Hidden Cobra was discovered by US-CERT.
The malware has two main components:
- Brambul (wmmvsvc.dll) – a tool designed to allow lateral movement inside the infected network.
- Joanap (scardPrv.dll) – a powerful remote access tool (RAT) providing multiple capabilities to control and manipulate the victim machine.
In this blog, we will review the malware’s dropper along with its components, and provide a look inside the malware’s capabilities.
This 32-bit executable is designed to drop and install the two main components of the malware.
The dropper executes its code by registering a callback through the DialogBoxParam call. It makes sure the machine isn’t already infected by querying the Service Control Manager for the existence of services it will later install and moves on to dropping both components as DLLs after extracting their content from the dropper’s data resource.
The malware uses svchost.exe as the host process for the DLLs and establishes persistence on the victim’s machine by installing them as services using Window’s Service Control Manager APIs which relies on the victim’s user account having high privileges. By using svchost.exe as the host process, the threat actor tries to hide itself in plain-sight as a common process seen regularly in the system.
After checking the current OS version and creating a mutex, it dynamically loads DLLs and functions which names are being obfuscated. In Figure 1, we see that the string “iamsorry!@1234567” is being used as a key for the deobfuscation function.
Figure 1 - Obfuscated function and libraries names
Brambul enumerates the IPs in the subnet of the infected machine trying to establish an SMB connection as an anonymous user, using WNetAddConnection2 API call. Once Brambul establishes a connection, it then attempts to gain access to those machines by initiating a brute force attack that uses a built-in list of commonly used passwords.
Interesting enough, Brambul uses different spellings of “Administrator” in English, Spanish and French which may indicate the different potential targets. It uses the command in Figure 3 to create a network folder that points to the target machine.
Figure 2 - Attempt to use different spellings of "Administrator"
It then copies the dropper to the shared folder, runs it as a service by using the remote Service Control Manager and cover its tracks by deleting the shared folder and service.
Figure 3 - Preparing the shared folder path
After it collects and sends information about the newly infected machine, it then chooses to transfer the information to the threat actor as an email using SMTP. This is quite unusual behavior for an endpoint to perform by itself and can serve as a red flag for suspicious activity, if detecting at the kernel level. The email transfer shown in Figure 4 is configured to be sent via email from redhat@gmail[.]com to misswang8107@gmail[.]com and consists of attributes designed to make the message appear legitimate.
Figure 4- Using SMTP to pass the victim system information as an email
This 32-bit DLL remote access tool (RAT) provides a wide range of capabilities that vary from simple file operations and more complex actions such as proxy capabilities. Joanap uses dynamic import and hides both libraries and functions names in a similar manner to Brambul.
Upon receiving a command, Joanap chooses an appropriate action to perform from 21 different functions.
Each of the functions are built in a uniform structure, to allow easy handling of the command and its result, while maintaining a constant structure consisting of the call to the function itself, followed by a section that sends the results back to the threat actor, along with results of the executed command.
Figure 5 - Generic structure of function
Some of it’s more interesting functions contains the following capabilities:
- Searching for any active RDP session, along with collecting and sending basic information about the system
- Upload a file
- Download a file
- Download and execute a DLL using rundll.exe
- Recursively delete all files and sub directories in a selected folder
As we can see, Joanap presents a wide selection of capabilities that provides the threat actor with full control over file operations, which results in them being able to efficiently deliver additional payloads to the victim and stealing the desired data that is located on the victim machine.
enSilo Platform Protection
enSilo successfully blocks malicious threats described in this blog and prevents the malware from achieving persistency on the system, as well as preventing the payloads from executing by identifying their malicious abilities prior to its execution.
Windows Media Management