eSentire White Logo

Security advisories | May 12, 2020

CISA Reports on North Korean Malware


The Cybersecurity and Infrastructure Security Agency (CISA) has released three new reports on malware associated with North Korean state sponsored threat actors. The reports outline three different malware types: PebbleDash Trojan [1], TaintedScribe Trojan [2] and CopperHedge RAT [3]. These tools are reported to be used by the North Korean threat actor Hidden Cobra (Lazarus Group). While the reports lack specific details on where the malware types were used, Hidden Cobra has a long history of targeting both governments and private organizations that interest the North Korean government.

What we’re doing about it

  • Known hashes relating to PebbleDash, TaintedScribe and CopperHedge are being tracked and have been checked against all esENDPOINT clients
  • Known IP addresses have been added to the eSentire Global Blacklist
  • eSentire security teams continue to track this topic for additional details and detection opportunities

What you should do about it

  • Apply the practice of least privilege and ensure that only required users have administrator privileges
  • Ensure that antivirus signatures and engines are kept up to date
  • Ensure that all operating system patches are up to date
  • For additional recommendations, see the official reports produced by CISA [1][2][3]

Additional information

The two Trojans, PebbleDash and TaintedScribe are beaconing implants that can be used to exfiltrate information, download additional malicious content and execute commands on infected devices. CopperHedge is a variant of the Manuscrypt RAT and is a remote access tool that can be used to run arbitrary commands, perform system reconnaissance, and exfiltrate data. The CISA reports were released on May 12th, 2020, but the malware was likely in use for years prior to this report. Hashes for the malware were reported to VirusTotal as far back as 2018. Information on past Hidden Cobra related activity and tools can be found on the CISA web-page North Korean Malicious Cyber Activity [4].