Posts

Method: Hidden Cobra TYPEFRAME Malware Activity

On June 14th, US-CERT released a Malware Analysis Report (AR18-165A) that details a set of malware, code-named TYPEFRAME, with the earliest observed sample dating back to 2015. This malware appears to have been leveraged by North Korea’s threat actor HIDDEN COBRA (aka Lazarus). The Trojan has the capability to download and install malware, proxies and remote access tools (RATs), connect to command and control servers and modify the victim’s host based firewall to allow incoming connections.

The multiple executables and malicious document referenced within the report shows that the Trojan TYPEFRAME seems to be quite modular in nature, with different installers appearing to install different malicious modules. In summary, the multiple executables detailed in the report can be summarized as the following:

  • F5A4235EF02F34D547F71AA5434D9BB4 / BFB41BC0C3856AA0A81A5256B7B8DA51 – The installer that sets the RAT as a service on the victim’s machine
  • 10B28DA8EEFAC62CE282154F273B3E34 – This file is an installer designed to set a proxy module as a service on the victim’s machine.
  • 00B0CFB59B088B247C97C8FED383C115 – This file also serves as a proxy module designed to open the Windows Firewall on the victim’s machine for the purpose of allowing incoming connections and force it to act as a proxy server. This module listens on port 8443.
  • BF474B8ACD55380B1169BB949D60E9E4 – This file is a RAT designed to install a proxy module as a service on the victim’s system.
  • 6AB301FC3296E1CEB140BF5D294894C5 – This malicious Word document contains a VBA macro to decode a PE binary and execute it.
  • EF9DB20AB0EEBF0B7C55AF4EC0B7BCED – This file is designed to connect to its remote C2 servers on port 443 and wait for instructions.
  • 1C53E7269FE9D84C6DF0A25BA59B822C – This file is a proxy module installed as a service and is designed to open the Windows Firewall on the victim’s machine for the purpose of allowing incoming connections and force it to act as a proxy server. Notably, this malware makes use of a fake TLS communication mechanism.

Given the nature of the tactics used by this particular threat actor and the details available in the advisory, the threat is prevented by most common security countermeasures such as an up-to-date corporate antivirus. The risk for most organizations is likely minimal.

The Proficio Threat Intelligence Recommendations

  • Add the seven IP IOCs (indicators of compromise) flagged by US-CERT in the MAR (malware analysis report) to a firewall blocklist / SIEM monitoring watchlist.
  • Make sure to maintain antivirus products are up-to-date as this malware appears to have good detection rates amongst antivirus vendors with the samples analyzed.
  • Disable File and Printer sharing services if not required for business needs.
  • Restrict users’ ability to install and run unwanted software applications.
  • Exercise caution when opening email attachments.
  • Enable personal, host-based firewalls on individual workstations to deny unsolicited connection requests.

Source of Analysis – Click Here