Alert Raised on North Korean Malware

Technology > Security

A of North Korean female officers rehearsing for the parade. / Photo by: Maxpixel


A technical alert has been issued by the US Computer Emergency Readiness Team on two types of malware used by the North Korean government. The first is a remote access Trojan named Joanap, and the second is a server message block worm dubbed as Brambul. The two malware have already infected 85 networks, according to Warwick Ashford, reporting for Computer Weekly.  

The US-Cert said the alert was the result of collaborative work between the US Department of Homeland Security and the Federal Bureau of Investigation. Both agencies have pinpointed the IP addresses and other indicators of compromise associated with two North Korean malware. The IP addresses and other IOCs, along with recommended remediation actions, are being distributed by the two agencies to enable network defense and prevent exposure to any malicious cyber activity by the North Korean government.

The alert advises those who may have detected activity associated with these two malware types to immediately report it to the DHS National Cybersecurity and Communications Integration Center or the FBI Cyber Watch. They should also give it the highest priority for enhanced mitigation, the alert added. 

The Joanap and Brambul malware may have been used by North Korean rogue actors since at least 2009 to target multiple victims globally and in the US, including the media, aerospace, financial and critical infrastructure sectors, according to US authorities. 

The alert describes the Joanap malware as a fully functional RAT that can receive multiple commands and can be issued remotely from a command and control server. It typically infects a system as a file dropped by other malware which users unknowingly download when they visit compromised sites, or when they open suspicious email attachments.

On the other hand, the Brambul malware is a brute-force authentication worm that spreads through SMB shared files. It typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s network.