US Government warns of more North Korean malware attacks

With Donald Trump and Kim Jong Un exchanging handshakes and smiles at the Singapore security summit earlier this month, you may have been fooled into thinking that all was cordial between the United States and North Korea.

Look under the surface, however, and things may be rather different.

For instance, just days after the two countries signed a joint agreement at their unprecedented talks, the US Department of Homeland Security has issued a warning about more malware being used by the North Korean government against US organisations.

The malware, dubbed “Typeframe”, is thought to be related to other attacks previously attributed to the Hidden Cobra hacking gang (also sometimes called “Lazarus” or “Guardians of the Peace”).

The hacking group has become notorious for its use of Remote Access Trojans (RATs), DDoS botnet attacks, keylogging spyware, and data-wiping malware in attacks against foreign companies.

Most recently, Chile’s second largest bank, has confirmed that in late May it suffered a serious malware attack that breached its systems and disrupted its services.

That attack saw attackers use Hidden Cobra’s disk-wiping malware to distract attention, while some US $10 million was stolen via the SWIFT money transferring system.

If the attack was indeed the work of North Korea, it would be the latest in a long series of attacks on SWIFT which have allegedly stolen hundreds of millions of dollars for the pariah state.

And in the past, the US Government has even blamed Hidden Cobra for the notorious WannaCry ransomware attack, a claim which North Korea predictably denied.

In their latest report, the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) does not share details of how many computers may have been infected by Typeframe, or what industries may have been targeted.

However, it does share a technical analysis of 11 malware samples (Windows executables files, and a Microsoft Word document) that attempt to download and install spyware, connect to command and control servers, and meddle with victims’ firewalls to allow incoming connections.

All of the malware samples appear to have been compiled before the Singapore security summit was announced.

To better defend against the Typeframe attacks, organisations are being urged by US-CERT to look for indications of compromise – detailed within the report – by reviewing network logs for IP addresses, and using a variety of network signatures and host-based rules.