enSilo Blocks Hidden Cobras Latest Attack Tool

Hidden Cobra’s latest attack tool

Hidden Cobra is a well-known hackers group that has been active since 2009. The group (also known as “Lazarus Group” and “Dark Seoul”) has many cyber-attacks attributed to its name according to experienced security and threat researchers.

Around the end of May 2018, a new piece of malware believed to be created by Hidden Cobra was discovered by US-CERT.

The malware has two main components:

  • Brambul (wmmvsvc.dll) – a tool designed to allow lateral movement inside the infected network.
  • Joanap (scardPrv.dll) – a powerful remote access tool (RAT) providing multiple capabilities to control and manipulate the victim machine.

 

In this blog, we will review the malware’s dropper along with its components, and provide a look inside the malware’s capabilities.

Dropper

This 32-bit executable is designed to drop and install the two main components of the malware.

The dropper executes its code by registering a callback through the DialogBoxParam call. It makes sure the machine isn’t already infected by querying the Service Control Manager for the existence of services it will later install and moves on to dropping both components as DLLs after extracting their content from the dropper’s data resource.

The malware uses svchost.exe as the host process for the DLLs and establishes persistence on the victim’s machine by installing them as services using Window’s Service Control Manager APIs which relies on the victim’s user account having high privileges. By using svchost.exe as the host process, the threat actor tries to hide itself in plain-sight as a common process seen regularly in the system.

Brambul (wmmvsvc.dll)

After checking the current OS version and creating a mutex, it dynamically loads DLLs and functions which names are being obfuscated. In Figure 1, we see that the string “iamsorry!@1234567” is being used as a key for the deobfuscation function.

Figure 7-2Figure 1 - Obfuscated function and libraries names

Brambul enumerates the IPs in the subnet of the infected machine trying to establish an SMB connection as an anonymous user, using WNetAddConnection2 API call. Once Brambul establishes a connection, it then attempts to gain access to those machines by initiating a brute force attack that uses a built-in list of commonly used passwords.


Interesting enough, Brambul uses different spellings of “Administrator” in English, Spanish and French which may indicate the different potential targets. It uses the command in Figure 3 to create a network folder that points to the target machine.

Figure 2-6

Figure 2 - Attempt to use different spellings of "Administrator"

It then copies the dropper to the shared folder, runs it as a service by using the remote Service Control Manager and cover its tracks by deleting the shared folder and service.

Figure 3-6Figure 3 - Preparing the shared folder path

After it collects and sends information about the newly infected machine, it then chooses to transfer the information to the threat actor as an email using SMTP. This is quite unusual behavior for an endpoint to perform by itself and can serve as a red flag for suspicious activity, if detecting at the kernel level. The email transfer shown in Figure 4 is configured to be sent via email from redhat@gmail[.]com to misswang8107@gmail[.]com and consists of attributes designed to make the message appear legitimate. 

Figure 8-3

Figure 4- Using SMTP to pass the victim system information as an email

 

Joanap (scardPrv.dll)

This 32-bit DLL remote access tool (RAT) provides a wide range of capabilities that vary from simple file operations and more complex actions such as proxy capabilities. Joanap uses dynamic import and hides both libraries and functions names in a similar manner to Brambul.

Upon receiving a command, Joanap chooses an appropriate action to perform from 21 different functions.

Each of the functions are built in a uniform structure, to allow easy handling of the command and its result, while maintaining a constant structure consisting of the call to the function itself, followed by a section that sends the results back to the threat actor, along with results of the executed command.

Figure 2.2pngFigure 5 - Generic structure of function

Some of it’s more interesting functions contains the following capabilities:

  • Searching for any active RDP session, along with collecting and sending basic information about the system
  • Upload a file
  • Download a file
  • Download and execute a DLL using rundll.exe
  • Recursively delete all files and sub directories in a selected folder

 

As we can see, Joanap presents a wide selection of capabilities that provides the threat actor with full control over file operations, which results in them being able to efficiently deliver additional payloads to the victim and stealing the desired data that is located on the victim machine.

 

enSilo Platform Protection

enSilo successfully blocks malicious threats described in this blog and prevents the malware from achieving persistency on the system, as well as preventing the payloads from executing by identifying their malicious abilities prior to its execution.

 

Figure 4-7

Figure 5-7

Figure 6-4

IOC’s

Service name

Display Name

Path

Wmmvsvc

Windows Media Management

Driver Extensions

C:\Windows\system32\wmmvsvc.dll

SCardPrv

SmartCard Protector

C:\Windows\system32\scardprv.dll

 

 

Mutex

PlatFormSDK2.1S

Dropper SHA256

077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885

Brambul SHA256

c029ae20c314d7a0a2618f38ced03bac99e2ff78a85fe8c8f8de8555a8d153ab
1da344e5e55bef4307e257edd6f1e14835bdae17538a74afa5fc12c276666112
9c3e13e93f68970f2844fb8f1f87506f4aa6e87918449e75a63c1126a240c70e
230c2727e26467e16b5cf3ca37ecb8436ee5df41bfc4cd04062396642f9de352
d558bb63ed9f613d51badd8fea7e8ea5921a9e31925cd163ec0412e0d999df58
cbb174815739c679f694e16484a65aa087019272f94bcbf086a92817b4e4154b
61f46b86741c95336cdac3f07f42b7df3e84695968534be193e98ea76d1070d1
1dea57b33a48c79743481371a19e17f68ae768a26abc352f21560308698c786f
8df658cba8f8cf0e2b85007f57d79286eec6309e7a0955dd48bcd15c583a9650

Joanap SHA256

9a179e1ca07c1f16c4c1c4ee517322d390cbab34b5d123a876b38d08da1face4
a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717
7650d8c0874aa7d1f2a5a7d255112976e9f38ffad8b7cdda76d0baa8f4729203
5b10cfb236d56a0f3ddaa5e9463ebf307b1d2e0624b0f1c6ece19213804b6826
0622481f1c1e246289014e9fe3497e69f06ed8b3a327eda86e4442a46790dd2e
4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e
cbf5f579ff16206b17f039c2dc0fa35704ec01ede4ba18ecb1fc2c7b8217e54f
61f46b86741c95336cdac3f07f42b7df3e84695968534be193e98ea76d1070d1

Related Blog Posts

Customers Say It Best - Managed Security Service Provider one

cybersecurity , enSilo Corporate and Product

 

Retailers, restaurants, hoteliers, and small businesses are having problems discovering breaches on their POS systems. Delayed detection of a.

Read More

5 Ways to Tackle Ransomware Attacks One

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo Blocks New Variant of Adwind RAT one

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo RECOMMENDED in NSS Labs 2018 Advanced Endpoint Protection (AEP) Group Test

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More