US-CERT issues new warning on North Korea-linked 'KeyMarble' Trojan

• The malware has been linked to Hidden Cobra, the US government's term for North Korea state-sponsored hackers.
• The Trojan comes with a wide range of capabilities including accessing device configuration data, downloading files, executing commands, manipulating the Windows Registry configuration and more.

The US Department of Homeland Security has issued a new warning on a North Korean-linked remote access Trojan dubbed KEYMARBLE RAT. In an analysis report published last week, US-CERT assessed the malware is linked to Hidden Cobra, the US government’s term for North Korean state-sponsored hackers.

The KEYMARBLE RAT is a 32-bit Windows executable file that, once executed, de-obfuscates its application programming interfaces (APIs) and uses port 443 to connect to a series of hard-coded IP addresses before awaiting additional instructions.

Data exfiltration, screen-grabbing and more

Some of its capabilities include accessing device configuration data, downloading files, executing commands, manipulating the Windows Registry configuration, capturing screenshots and more . It is also capable of harvesting and relaying a trove of information about the victim’s system including OS, CPU, MAC address, computer name, language settings, list and type of disk devices, time elapsed since the system was started and unique identifier of the system as well.

“Static analysis reveals that this RAT uses a customized XOR cryptographic algorithm to secure its data transfers and command-and-control (C2) sessions,” the advisory reads.

North Korean malware campaigns

The warning comes after researchers from McAfee and Intezer revealed links among North Korea’s malware families at Black Hat 2018. Researchers said they discovered the reuse of code among malware and their malware attack campaigns.

"Bad actors have a tendency to unwittingly leave fingerprints on their attacks, allowing researchers to connect the dots between them. North Korean actors have left many of these clues in their wake and throughout the evolution of their malware arsenal," Intezer’s Jay Rosenberg and McAfee’s Christiaan Beek wrote in a blog post. "With targeted campaigns, an adversary must keep its tools undetected for as long as possible. By identifying re-used code, we gain valuable insights about the ‘ancestral relations' to known threat actors or other campaigns."

Researchers also revealed several other similarities between various North Korean malware families. They found that the infamous WannaCry malware which used the Windows Server Message Block (SMB) file sharing protocol module was used across various North Korean malware.

"From the Mydoom variant Brambul to the more recent Fallchill, WannaCry, and the targeting of cryptocurrency exchanges, we see a distinct timeline of attacks beginning from the moment North Korea entered the world stage as a significant threat actor," researchers said.

US-CERT has recommended the organizations follow best practices to strengthen their security posture and stay safe from malicious threats such as the KEYMARBLE RAT. Organizations must regularly update their antivirus software, promptly install patches, implement strong password policies and exercise caution when using removable media, the agency recommended.