PRODUCTS
ShadowPlex Advanced Threat Defense
Deception for early detection of cyber threats with precision and speed
ShadowPlex Identity Protection
Visibility of identity attack surface and comprehensive detection of identity threats
ShadowPlex Cloud Security
Multi-cloud Security Built on Enterprise-scale honeytokens
ShadowPlex Threat Intel
Targeted Threat Intel Providing Preemptive Cyber Security
ShadowPlex Preemptive Cybersecurity Platform
Comprehensive and Award-winning Distributed Deception Platform
What is Preemptive Cybersecurity?
Preemptive Cybersecurity detects and diverts attacks.
SOLUTIONS
Technology
Active Directory Protection
Cloud Detection and Response (CDR)
Early Threat Detection
Honeytokens for CrowdStrike
Identity Threat Detection & Response
Insider Threats
OT Security
Ransomware
Red Teaming
Threat Hunting
Zero Trust
SOLUTIONS
Industry
Healthcare
Financial Services
Public Sector
RESOURCES
Blog
Events
Cyber Deception Glossary
RESOURCE CENTER
Analyst Reports
Case Studies
Data Sheets
E-Books
Solution Briefs
Webinars
Whitepapers
COMPANY
About Acalvio
Leadership
Investors
Press Center
In The News
Why Preemptive Cybersecurity
Contact
PARTNERS
Strategic Partners
Technology Partners
Partner Program
Become a Partner
Blog Cyber Deception Lateral Movement Technique by Hidden Cobra Threat Actor
Team Acalvio
|
June 13, 2018

Lateral Movement Technique by Hidden Cobra Threat Actor

US Cert recently issued notification regarding malicious cyber activity by the North Korean government [1] as Hidden Cobra.  There are two families of malware used by the North Korean Government.

  • Remote Access Tool (RAT) known as Jonap
  • A Server Message Block (SMB) worm called as Brambul worm.

As per the report by US-Cert, threat actor have been using these malware since 2009 to target multiple victims globally and in United States,- including the media, aerospace, financial, and critical infrastructure sector.

In this blog we share the technical details of the spreading techniques used by the Brambul worm and its detection by distributed deception platform.

Brambul Worm

The worm invokes multiple thread which then randomly generates the IP addresses for infection.

lateral movement tech by hidden cobra threat actor

Figure 1.0 Showing the code for random generation of IP address.

Once the victim’s IP addresses, have been generated it  connects to \\IPC$ share, on the port 445 of the victim machine with Administrator as the username and fixed hardcoded passwords.

Later down the malware code, it makes call to the WNetAddConnection2 API  to connect to a network resource and constructs the below command.

cmd.exe /q /c net share admin$=%%SystemRoot%% /GRANT:%s, FULL

It then make call to the service manager. OpenSCManagerA() with the victim machine machines on the network as the parameter.  StartSeviceA() is then called with the with the command as the parameter, will execute the command which will grant full permission on the remote machine.  Once the command has been executed, the code will make call to DeleteService() which will then delete the service.

lateral movement tech by hidden cobra threat actor 2

Once the full permission is granted on the remote machine, the worm is copied to the remote machine.

Detection by Distributed Deception Platform

The worm as such is not quite sophisticated and primarily relies on the brute force attempts. This will be successful only in weak environments. If the deception are deployed in a threat agnostic manner as discussed in the previous blog, network enumeration by the Brambul Worm will get detected by the distributed deception platform. Brute force condition will raise an alert of breach leading to the isolation of the infected endpoint.

References:

[1]  Hidden Cobra – North Korean Malicious  Cyber Activity. https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity

[2] HIDDEN COBRA – Jonap Backdoor Trojan and Brambul SMB worm  https://www.us-cert.gov/ncas/alerts/TA18-149A

Definitive Guide to Identity Protection
Get the Ebook
Gartner names Acalvio Tech Innovator
Learn More
Acalvio, the Ultimate Preemptive Cybersecurity Solution.
Schedule a Demo
Acalvio is the leader in autonomous cyber deception technologies, arming enterprises against sophisticated cyber threats including APTs, insider threats and ransomware. Its AI-powered Active Defense Platform, backed by 25 patents, enables advanced threat defense across IT, OT, and Cloud environments. Additionally, the Identity Threat Detection and Response (ITDR) solutions with Honeytokens enable Zero Trust security models. Based in Silicon Valley, Acalvio serves midsize to Fortune 500 companies and government agencies, offering flexible deployment from Cloud, on-premises, or through managed service providers.
© Acalvio Technologies, Inc. All rights reserved.