Crouching Rat, Hidden Cobra

The North Korean Edition of Crouching Tiger, Hidden Dragon

Security is at the forefront of everyone's mind these days and for an excellent reason. Attacks are genuinely coming from every angle. In fact, the FBI has just released a warning about an infamous operation in which the US government has given the code name, Hidden Cobra. These North Korean government-linked hackers have been using two strains of malware to remotely penetrate global systems with the intent to steal passwords and other sensitive data. The tools they are using to gain access are, the remote access tool (RAT) Joanap RAT and the Server Message Block (SMB) worm Brambul and have potentially been using these tools with the same intent since 2009. Remember the 2014 attack on Sony Pictures Entertainment and the WannaCry malware attack….this was the same group.


These malware attacks are unique as they use a two-stage malware which utilizes applications most of us have and regularly use without even knowing. The attack initializes with Joanap as it can infect a Windows device as a file in which an unknowing victim downloads from a compromised site or as a malicious email attachment (See Phishing Blog). Thus far, the U.S. government has identified that there are infected IP addresses in Argentina, Belgium, Brazil, Cambodia, China, Columbia, Egypt, India, Iran, Jordan, Pakistan, Saudi Arabia, Sri Lanka, Sweden, Taiwan, and Tunisia. Once these networks have been penetrated, the slimy worm, known as Brambul SMB worm brings in the muscle.


To understand how this works and how advanced these attacks are, we need to understand Server Message Block. Many may think, "I don't use a Server Message Block, so I'm not at risk." If you work in an office in which any files, documents, printers, etc. are "shared," you are at risk as this is how the Bramnul SMB worm continues to grow and spread its' sliminess. As items are shared, this worm is propagating like a group of rabbits! Unfortunately, this offspring isn't just eating your garden plants; it is allowing the North Korean-backed hackers to harvest your valuable system information. Thus stealing passwords and other extremely sensitive data.


This group is targeting a broad variety of industries including the media, aerospace, financial and critical infrastructure sectors and specifically those whose networks are insecure or unsecured as they can easily spread through poorly secured network shares. So, now is the time to make sure your office is as secure as it possibly can be! Luckily you have access to the best security team with just a simple click or a quick phone call. The Pendello Solutions business technology associates will help make sure your patches are in place, your firewalls are up-to-date, and your network is as secure as technically possible.