In a notice, US-CERT revealed executable Windows files and a Word document. For the latter, malicious Visual Basic macros are being leveraged by the hackers. The Hidden Cobra group is also known as Lazarus. The content is a danger to both users and organizations running Windows. “These files have the capability to download and install malware, install proxy and Remote-Access Trojans (RATs), connect to command-and-control servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections,” US-CERT notes in its latest malware report. Hidden Cobra has had plenty of success attacking organizations with its Joanup and Brambul malware. With the malicious Word document, the hacking group has had a 12th malware type identified. Known as Typeframe, the content entices users to “enable content” to run malware. “This malware report contains analysis of 11 malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections.”
Previous Attacks
This is not the first time North Korea has targeted Windows. In June 2017, the US Homeland Security Department and FBI warned about Hidden Cobra using unsupported Microsoft products to push malware. Hidden Cobra was managing to access infrastructure by exploiting older version of Microsoft programs and Adobe Flash vulnerabilities. Also last year, Microsoft revealed that it had thwarted a North Korean attack. The Trump administration also accused Pyongyang directly for a May cyber-attack. That hack resulted in banks, hospitals, and other organizations going down.