{"id":6004,"date":"2018-06-13T15:44:29","date_gmt":"2018-06-13T22:44:29","guid":{"rendered":"https:\/\/www.acalvio.com\/?p=6004"},"modified":"2018-06-13T15:44:29","modified_gmt":"2018-06-13T22:44:29","slug":"lateral-movement-technique-employed-by-hidden-cobra","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2018\/06\/13\/lateral-movement-technique-employed-by-hidden-cobra\/","title":{"rendered":"Lateral Movement Technique Employed by Hidden Cobra"},"content":{"rendered":"<p>US-Cert recently issued notification regarding malicious cyber activity by the North Korean government [1] Hidden Cobra. B There are two families of malware used by the North Korean Government.<\/p>\n<ul>\n<li>Remote Access Tool (RAT) known as Jonap<\/li>\n<li>A Server Message Block (SMB) worm called as Brambul worm.<\/li>\n<\/ul>\n<p>As per the US-Certreport, HddenB Cobra has been using this malware since 2009 to target multiple victims globally and in the United States, including media, aerospace, financial industries, and critical infrastructure sectors.<br \/>\nIn this blog, we share the technical details and spreading techniques used by the Brambul worm. Thereafter, we discuss how it can be detected by distributed deception platform.<br \/>\n<b>Brambul Worm <\/b><br \/>\nThe worm invokes multiple threads which then randomly generates IP addresses for infection.<br \/>\n<img loading=\"lazy\" class=\"wp-image-4404 aligncenter\" src=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-3.33.49-PM.png\" sizes=\"(max-width: 476px) 100vw, 476px\" srcset=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-3.33.49-PM.png 974w, https:\/\/www.acalvio.com\/wp-content\/uploads\/https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-3.33.49-PM-300x188-1.png 300w, https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-3.33.49-PM-768x481-1.png 768w, https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-3.33.49-PM-400x250-1.png 400w\" alt=\"\" width=\"476\" height=\"298\" \/><br \/>\nFigure 1.0 Showing the code for random generation of IP address.<br \/>\nOnce the victimb\u0000\u0019s IP addresses have been generated it connects to \\\\IPC$ share, on the port 445 of the victim machine using Administrator as the username and fixed hardcoded passwords.<br \/>\nThereafter, the malware code makes a call to the WNetAddConnection2 API B to connect to a network resource and constructs the below command.<br \/>\nb\u0000\u001c<i>cmd.exe \/q \/c net share admin$=%%SystemRoot%% \/GRANT:%s, FULL<\/i>b\u0000\u001d<br \/>\nIt then makes calls to the service manager. <i>OpenSCManagerA()<\/i> with the victim machine machines on the network as the parameter. <i>B StartSeviceA()<\/i> then executes the command which grants full permission on the remote machine. B Once the command has been executed, the code makes aB call to <i>DeleteService<\/i>() which then deletes the service.<br \/>\n<img loading=\"lazy\" class=\"wp-image-4405 aligncenter\" src=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-2.19.07-PM-1024x379-1.png\" sizes=\"(max-width: 859px) 100vw, 859px\" srcset=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-2.19.07-PM-1024x379-1.png 1024w, https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-2.19.07-PM-300x111-1.png 300w, https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-2.19.07-PM-768x284-1.png 768w, https:\/\/www.acalvio.com\/wp-content\/uploads\/https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-2.19.07-PM-1080x400-1.png 1080w, https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-11-at-2.19.07-PM.png 1600w\" alt=\"\" width=\"859\" height=\"318\" \/><br \/>\nOnce the full permission is granted on the remote machine, the worm is copied to the remote machine.<br \/>\n<b>Detection by Distributed Deception Platform <\/b><br \/>\nAs such, the worm is not quite sophisticated and primarily relies on brute force attempts. This will be successful only in weak environments. If a Distributed Deception Platform is deployed in a <a href=\"https:\/\/www.acalvio.com\/deception-deployment-strategies-threat-agnostic-vs-service-agnostic\/\">threat agnostic <\/a>manner network, enumeration by the Brambul Worm will get detected with very high confidence. [deployment of a distributed deception platform is discussed inB a<a href=\"https:\/\/www.acalvio.com\/deception-deployment-strategies-threat-agnostic-vs-service-agnostic\/\"> previous blog<\/a>]. Brute force attacks on the Distributed Deception Platform leads to isolation of the end-point, thereby containing damage in a timely manner.<br \/>\n<b>References:<\/b><br \/>\n[1] B Hidden Cobra b\u0000\u0013 North Korean Malicious B Cyber Activity. <a href=\"https:\/\/www.us-cert.gov\/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity\">https:\/\/www.us-cert.gov\/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity<\/a><br \/>\n[2] HIDDEN COBRA b\u0000\u0013 Jonap Backdoor Trojan and Brambul SMB worm B <a href=\"https:\/\/www.us-cert.gov\/ncas\/alerts\/TA18-149A\">https:\/\/www.us-cert.gov\/ncas\/alerts\/TA18-149A<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>US-Cert recently issued notification regarding malicious cyber activity by the North Korean government [1] Hidden Cobra.<\/p>\n","protected":false},"author":2,"featured_media":4526,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/6004"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=6004"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/6004\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media\/4526"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=6004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=6004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=6004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}