This blog revisits the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) 2018 press release regarding a Trojan malware variant named KEYMARBLE, which is being used by the North Korean government for its cyber activity around the globe. The Cyber Treat Actor behind KEYMARBLE is referred to as Hidden Cobra.
KEYMARBLE is a Remote Trojan Access (RAT) for Windows 32-bit capable of accessing device configuration data, executing system commands, recording screen shots, modifying the Windows registry entries and downloading any additional files from the network. As any other RAT, its purpose is to give the attackers control of the infected system.
The malware analysis indicates that the malware tries to contact the following IP addresses to stablish communication with the attackers at:
The malware hashes are:
NCCIC recommends network and system administrators to follow the security measures below:
- Maintain situational awareness of the latest threats and implement appropriate ACLs.
- Maintain up-to-date antivirus signatures and engines.
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Keep operating system patches up-to-date.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Disable unnecessary services on agency workstations and servers.
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Scan all software downloaded from the Internet prior to executing.
If you suspect that you have been compromised by KEYMARBLE, contact LIFARS immediately for containment, support, and remediation.