USCYBERCOM Releases Malware Samples and Analyses Used by DPRK Cyber Actors

As a Valentine’s Day surprise, USCYBERCOM publicly released six malware samples on VirusTotal and seven malware analysis reports on the uploaded malware. As attributed by the National Cyber Investigative Joint Task Force (NCIJTF), these samples were used by North Korean (DPRK) state-sponsored threat actors for phishing and remote access to victims for espionage.

The following contains a brief description of each of the released malware:

  • HOPLIGHT – Used for system profiling. Will obtain information including victim OS, System Time, and available system drives/partitions.
  • ARTFULPIE – Used as a downloader. Loads a downloaded DLL into memory.
  • HOTCROISSANT – This is a fully functioning Remote Access Trojan (RAT), with several commands used for cyber espionage, including a capability to capture the victim’s screen.
  • CROWDEDFLOUNDER – Used to unpack and execute a RAT into memory, this sample is packed using Themida.
  • SLICKSHOES – Unpacks and deploys another RAT. This RAT notably contains the string “ApolloZeus” during the Command and Control server (C2)’s initial beacon communication. This sample is also packed using Themida.
  • BISTROMATH – Using obfuscation and steganography to hide, this sample decrypts a ‘fake’ bitmap image to get configuration information and shellcode. This shellcode begins profiling the system, attempting to determine if it is being analyzed by a researcher by detecting the presence of virtual machines (VMs) or sandboxes. Additionally, it looks for specific usernames and computers.
  • BUFFETLINE – An additional RAT used for profiling systems. A notable feature is that even though it appears to set up a TLS session, it actually communicates with a custom protocol designed to mimic TLS traffic, but instead uses an XOR key to encrypt traffic.