hidden_cobra_malware.yml

category:
  - Malware
channel: ESCU
creation_date: '2018-06-14'
description: Monitor for and investigate activities, including the creation or deletion
  of hidden shares and file writes, that may be evidence of infiltration by North
  Korean government-sponsored cybercriminals. Details of this activity were reported
  in DHS Report TA-18-149A.
detections:
  - detection_id: 7f5fb3e1-4209-4914-90db-0ec21b936378
    name: SMB Traffic Spike
    type: splunk
  - detection_id: d25773ba-9ad8-48d1-858e-07ad0bbeb828
    name: SMB Traffic Spike - MLTK
    type: splunk
  - detection_id: 9be56c82-b1cc-4318-87eb-q138afaaqa39
    name: First time seen command line argument
    type: splunk
  - detection_id: 7f5fb3e1-4209-414-90db-0ec21b936378
    name: Detect Outbound SMB Traffic
    type: splunk
  - detection_id: 272b8407-842d-4b3d-bead-a704584003d3
    name: Remote Desktop Network Traffic
    type: splunk
  - detection_id: f5939373-8054-40ad-8c64-cec478a22a4a
    name: Remote Desktop Process Running On System
    type: splunk
  - detection_id: 1a67f15a-f4ff-4170-84e9-08cf6f75d6f5
    name: DNS Query Length With High Standard Deviation
    type: splunk
  - detection_id: qw9919ed-fe5f-492c-b139-151bb162140e
    name: Create or delete hidden shares using net.exe
    type: splunk
  - detection_id: 57f76b8a-32f0-42ed-b358-d9fa3ca7bac8
    name: Suspicious File Write
    type: splunk
  - detection_id: 85fbcfe8-9718-4911-adf6-7000d077a3a9
    name: DNS Query Length Outliers - MLTK
    type: splunk
id: baf7580b-d4b4-4774-8173-7d198e9da335
maintainers:
  - company: Splunk
    email: rvaldez@splunk.com
    name: Rico Valdez
modification_date: '2018-06-14'
name: Hidden Cobra Malware
narrative: 'North Korea''s government-sponsored "cyber army" has been slowly building
  momentum and gaining sophistication over the last 15 years or so. As a result, the
  group''s activity, which the US government refers to as "Hidden Cobra," has surreptitiously
  crept onto the collective radar as a preeminent global threat.\

  These state-sponsored actors are thought to be responsible for everything from a
  hack on a South Korean nuclear plant to an attack on Sony in anticipation of its
  release of the movie "The Interview" at the end of 2014. They''re also notorious
  for cyberespionage. In recent years, the group seems to be focused on financial
  crimes, such as cryptojacking.\

  In June of 2018, The Department of Homeland Security, together with the FBI and
  other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the
  public about two variants of North Korean malware. One variant, dubbed "Joanap,"
  is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate
  data, download and execute secondary payloads, and initialize proxy communications.
  The other variant, "Brambul," is a Windows32 SMB worm that is dropped into a victim
  network. When executed, the malware attempts to spread laterally within a victim''s
  local subnet, connecting via the SMB protocol and initiating brute-force password
  attacks. It reports details to the Hidden Cobra actors via email, so they can use
  the information for secondary remote operations.\

  Among other searches in this Analytic Story is a detection search that looks for
  the creation or deletion of hidden shares, such as, "adnim$," which the Hidden Cobra
  malware creates on the target system. Another looks for the creation of three malicious
  files associated with the malware. You can also use a search in this story to investigate
  activity that indicates that malware is sending email back to the attackers.'
original_authors:
  - company: Splunk
    email: rvaldez@splunk.com
    name: Rico Valdez
references:
  - https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
  - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
spec_version: 2
usecase: Advanced Threat Detection
version: '2.0'