US-CERT Issues Warning About Two North Korean Malware Variants

Two malware strains – known as Joanap and Brambul – are being used to establish peer to peer connections and remotely access infected systems, manage botnets, and steal system information and login credentials. The malware strains are communicating with IP addresses in 17 countries and have been linked to North Korea by U.S Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

The malware families are not new. They have been used by North Korea since 2009 and have previously been used in targeted attacks on media outlets and aerospace, financial, and critical infrastructure organizations, including organizations in the United States.

The malware strains communicate with HIDDEN COBRA – the name given to North Korea’s Cyber-Ops. US-CERT has released information on the IP addresses being used for communication and other indicators of Compromise (IoCs) to allow companies to scan for malware infections.

Infection could result in temporary or permanent loss of data, theft of sensitive information and proprietary data, disruption to normal operations, financial losses, and reputational harm.

Joanap malware is capable of file management, process management, node management, and the creation and deletion of directories. The malware establishes peer-to-peer communications and can manage botnets deployed on computers. Once installed, the malware enables HIDDEN COBRA threat actors to exfiltrate data, initialize proxy communications, and install further malicious payloads.

Brambul malware is a 32-bit Windows Server Message Block (SMB) worm that functions as a dynamic link library or portable executable file. The malware is downloaded by dropper malware. According to US-CERT’s warning, “The malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords.” The malware is also capable of randomly generating IP addresses for further attacks.

The malware steals system information and credentials via malicious email addresses, with the theft of credentials allowing the attackers to remotely access compromised systems via the SMB protocol. While the exact method of attack has not been confirmed, it has been suggested that insecure or unsecured systems are compromised and the malware spreads laterally through poorly secured network shares.

DHS recommends following security best practices to reduce susceptibility to these types of malware attacks: Ensuring all software and operating systems are kept fully patched, deploy AV software and perform regular scans, scan all new software prior to execution, restrict administrator privileges, scan emails and email attachments, disable Microsoft’s file and printer sharing service, and use a personal firewall on all workstations and configure it to deny unsolicited connection requests.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of