Called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, the malware variants are capable of remote reconnaissance and exfiltration of sensitive information from target systems, according to a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD).
The three new malware strains are the latest addition to a long list of over 20 malware samples, including BISTROMATH, SLICKSHOES, HOPLIGHT, and ELECTRICFISH, among others, that have been identified by the security agencies as originating as part of a series of malicious cyber activity by the North Korean government it calls Hidden Cobra, or widely known by the moniker Lazarus Group.
COPPERHEDGE, the first of the three new variants, is a full-featured Remote Access Tool (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. It's being used by advanced threat actors to target cryptocurrency exchanges and related entities. Six different versions of COPPERHEDGE have been identified.
TAINTEDSCRIBE functions as a backdoor implant that masquerades itself as Microsoft's Narrator screen reader utility to download malicious payloads from a command-and-control (C2) server, upload, and execute files, and even create and terminate processes.
Lastly, PEBBLEDASH, like TAINTEDSCRIBE, is another trojan with capabilities to "download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; perform target system enumeration."
A significant Cyber Espionage Threat
The WannaCry ransomware infection of 2017, also known as Wanna Decryptor, leveraged a Windows SMB exploit, dubbed EternalBlue, that allowed a remote hacker to hijack unpatched Windows computers in return for Bitcoin payments of up to $600. The attack has since been traced to Hidden Cobra.
With the Lazarus Group responsible for the theft of more than $571 million worth of cryptocurrency from online exchanges, the financially-motivated attacks led the US Treasury to sanction the group and its two off-shoots, Bluenoroff and Andariel, last September.
Then earlier this March, the US Department of Justice (DoJ) charged two Chinese nationals working on behalf of the North Korean threat actors to allegedly launder over $100 million worth of the stolen cryptocurrency using prepaid Apple iTunes gift cards.
Last month, the US government had issued guidance on the 'significant cyber threat' posed by North Korean state-sponsored hackers to the global banking and financial institutions, in addition to offering a monetary reward of up to $5 million for information about past or ongoing illicit DPRK activities in the cyber realm.
"The DPRK's malicious cyber activities threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system," the advisory cautioned.
"Under the pressure of robust US and UN sanctions, the DPRK has increasingly relied on illicit activities – including cybercrime – to generate revenue for its weapons of mass destruction and ballistic missile programs."