{"id":4402,"date":"2018-06-13T13:16:15","date_gmt":"2018-06-13T20:16:15","guid":{"rendered":"https:\/\/www.acalvio.com\/?p=4402"},"modified":"2018-06-13T13:16:15","modified_gmt":"2018-06-13T20:16:15","slug":"lateral-movement-technique-by-hidden-cobra-threat-actor","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2018\/06\/13\/lateral-movement-technique-by-hidden-cobra-threat-actor\/","title":{"rendered":"Lateral Movement Technique by Hidden Cobra Threat Actor"},"content":{"rendered":"<p><span style=\"font-weight: 400;\"> US Cert recently issued notification regarding malicious cyber activity by the North Korean government [1] as Hidden Cobra. B There are two families of malware used by the North Korean Government. <\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Remote Access Tool (RAT) known as Jonap <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">A Server Message Block (SMB) worm called as Brambul worm. <\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">As per the report by US-Cert, threat actor have been using these malware since 2009 to target multiple victims globally and in United States,- including the media, aerospace, financial, and critical infrastructure sector. <\/span><br \/>\n<span style=\"font-weight: 400;\"> B B In this blog we share the technical details of the spreading techniques used by the Brambul worm and its detection by distributed deception platform. <\/span><br \/>\n<b>Brambul Worm <\/b><br \/>\n<span style=\"font-weight: 400;\"> The worm invokes multiple thread which then randomly generates the IP addresses for infection.B <\/span><br \/>\n<img loading=\"lazy\" class=\"wp-image-4404 aligncenter\" src=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-3.33.49-PM.png\" alt=\"\" width=\"476\" height=\"298\" \/><br \/>\n<span style=\"font-weight: 400;\">Figure 1.0 Showing the code for random generation of IP address. <\/span><br \/>\n<span style=\"font-weight: 400;\">Once the victimb\u0000\u0019s IP addresses, have been generated it B connects to \\\\IPC$ share, on the port 445 of the victim machine with Administrator as the username and fixed hardcoded passwords. B <\/span><br \/>\n<span style=\"font-weight: 400;\">Later down the malware code, it makes call to the WNetAddConnection2 API B to connect to a network resource and constructs the below command. <\/span><br \/>\n<span style=\"font-weight: 400;\">b\u0000\u001c<\/span><i><span style=\"font-weight: 400;\">cmd.exe \/q \/c net share admin$=%%SystemRoot%% \/GRANT:%s, FULL<\/span><\/i><span style=\"font-weight: 400;\">b\u0000\u001d<\/span><br \/>\n<span style=\"font-weight: 400;\"> B It then make call to the service manager. <\/span><i><span style=\"font-weight: 400;\">OpenSCManagerA()<\/span><\/i><span style=\"font-weight: 400;\"> with the victim machine machines on the network as the parameter. <\/span><i><span style=\"font-weight: 400;\">B StartSeviceA()<\/span><\/i><span style=\"font-weight: 400;\"> is then called with the with the command as the parameter, will execute the command which will grant full permission on the remote machine. B Once the command has been executed, the code will make call to <\/span><i><span style=\"font-weight: 400;\">DeleteService<\/span><\/i><span style=\"font-weight: 400;\">() which will then delete the service.<\/span><br \/>\n<img loading=\"lazy\" class=\"wp-image-4405 aligncenter\" src=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-2.19.07-PM-1024x379-1.png\" alt=\"\" width=\"859\" height=\"318\" \/><br \/>\n<span style=\"font-weight: 400;\">Once the full permission is granted on the remote machine, the worm is copied to the remote machine. B <\/span><br \/>\n<b>Detection by Distributed Deception Platform <\/b><br \/>\n&nbsp;<br \/>\n<b> B <\/b><span style=\"font-weight: 400;\">B B The worm as such is not quite sophisticated and primarily relies on the brute force attempts. This will be successful only in weak environments. If the deception are deployed in a <\/span><a href=\"https:\/\/www.acalvio.com\/deception-deployment-strategies-threat-agnostic-vs-service-agnostic\/\"><span style=\"font-weight: 400;\">threat agnostic <\/span><\/a><span style=\"font-weight: 400;\">manner as discussed in the<\/span><a href=\"https:\/\/www.acalvio.com\/deception-deployment-strategies-threat-agnostic-vs-service-agnostic\/\"><span style=\"font-weight: 400;\"> previous blog<\/span><\/a><span style=\"font-weight: 400;\">, network enumeration by the Brambul Worm will get detected by the distributed deception platform. Brute force condition will raise an alert of breach leading to the isolation of the infected endpoint. <\/span><br \/>\n<b>References:<\/b><br \/>\n<span style=\"font-weight: 400;\">[1] B Hidden Cobra &#8211; North Korean Malicious B Cyber Activity. https:\/\/www.us-cert.gov\/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity<\/span><br \/>\n<span style=\"font-weight: 400;\"><br \/>\n[2] HIDDEN COBRA &#8211; Jonap Backdoor Trojan and Brambul SMB worm B https:\/\/www.us-cert.gov\/ncas\/alerts\/TA18-149A<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>US Cert recently issued notification regarding malicious cyber activity by the North Korean government [1] as Hidden Cobra. B There are two families of malware used by the North Korean Government. Remote Access Tool (RAT) known as Jonap A Server Message Block (SMB) worm called as Brambul worm. As per the report by US-Cert, threat [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/4402"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=4402"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/4402\/revisions"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=4402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=4402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=4402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}