This blog revisits the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) 2018 press release regarding a Trojan malware variant named KEYMARBLE, which is being used by the North Korean government for its cyber activity around the globe. The Cyber Treat Actor behind KEYMARBLE is referred to as Hidden Cobra.
KEYMARBLE is a Remote Trojan Access (RAT) for Windows 32-bit capable of accessing device configuration data, executing system commands, recording screen shots, modifying the Windows registry entries and downloading any additional files from the network. As any other RAT, its purpose is to give the attackers control of the infected system.
The malware analysis indicates that the malware tries to contact the following IP addresses to stablish communication with the attackers at:
- 212.143.21.43
- 100.43.153.60
- 104.194.160.59
The malware hashes are:
MD5: 704d491c155aad996f16377a35732cb4
SHA1: d1410d073a6df8979712dd1b6122983f66d5bef8
SHA256: e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09
SHA512: 0092900bf4ca71c17a3caa225a4d7dcc60c7b58f7ffd173f46731db7f696e34b2e752aefaf9cedc27fe76fe317962a394f1be2e59bd0cffaabd9f88cc4daedcc
NCCIC recommends network and system administrators to follow the security measures below:
- Maintain situational awareness of the latest threats and implement appropriate ACLs.
- Maintain up-to-date antivirus signatures and engines.
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Keep operating system patches up-to-date.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Disable unnecessary services on agency workstations and servers.
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Scan all software downloaded from the Internet prior to executing.
If you suspect that you have been compromised by KEYMARBLE, contact LIFARS immediately for containment, support, and remediation.