MAR-10135536-17 – North Korean Trojan: KEYMARBLE
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as KEYMARBLE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware, report the activity to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
This malware report contains analysis of one 32-bit Windows executable file, identified as a Remote Access Trojan (RAT). This malware is capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.
For a downloadable copy of IOCs, see:
Submitted Files (1)
No matches found.
This application is a malicious 32-bit Windows executable file, which functions as a RAT. When executed, it de-obfuscates its application programming interfaces (APIs) and using port 443, attempts to connect to the hard-coded IP addresses listed below. After connecting, the malware waits for further instructions.--Begin hard-coded IP addresses--22.214.171.124126.96.36.199188.8.131.52--End hard-coded IP addresses--Static analysis reveals that this RAT uses a customized XOR cryptographic algorithm displayed in Figure 1 to secure its data transfers and command-and-control (C2) sessions. It is designed to accept instructions from the remote server to perform the following functions:--Begin functions--Download and upload filesExecute secondary payloadsExecute shell commandsTerminate running processesDelete filesSearch filesSet file attributesCreate registry entries for storing data:(HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath)Collect device information from installed storage devices (disk free space and their type)List running processes informationCapture screenshotsCollect and send information about the victim's system (operating system, CPU, MAC address, computer name, language settings, list of disk devices and their type, time elapsed since the system was started, and unique identifier of the victim's system)--End functions--
Figure 1 - Screenshot of the cryptographic algorithms the malware used to secure its data transfers and C2 sessions.
Domain Name: KRYPT.COMRegistry Domain ID: 4620809_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.godaddy.comRegistrar URL: http://www.godaddy.comUpdated Date: 2016-02-25T03:39:29ZCreation Date: 1998-05-04T04:00:00ZRegistry Expiry Date: 2024-05-03T04:00:00ZRegistrar: GoDaddy.com, LLCRegistrar IANA ID: 146Registrar Abuse Contact Email: email@example.comRegistrar Abuse Contact Phone: 480-624-2505Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibitedDomain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibitedDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibitedName Server: NS1.CF.KRYPT.COMName Server: NS2.CF.KRYPT.COMName Server: NS3.CF.KRYPT.COMDNSSEC: signedDelegationDNSSEC DS Data: 2371 13 2 503AEB51F773BBCA00DB982C938895EF147DDC7D48A4E1E6FD0FE5BE7B98DA0DURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/Last update of whois database: 2018-06-28T02:39:11Z
Domain Name: SERVPAC.COMRegistry Domain ID: 81803816_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.godaddy.comRegistrar URL: http://www.godaddy.comUpdated Date: 2013-12-27T04:46:10ZCreation Date: 2001-12-31T08:29:34ZRegistry Expiry Date: 2018-12-31T08:29:34ZRegistrar: GoDaddy.com, LLCRegistrar IANA ID: 146Registrar Abuse Contact Email: firstname.lastname@example.orgRegistrar Abuse Contact Phone: 480-624-2505Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibitedDomain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibitedDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibitedName Server: NS1.SERVPAC.COMName Server: NS2.SERVPAC.COMDNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/Last update of whois database: 2018-06-28T02:40:41Z
netnum: 184.108.40.206 - 220.127.116.11netname: Nana10-LANdescr: Nana10-LANcountry: ILadmin-c: NV6695-RIPEtech-c: NV6695-RIPEstatus: ASSIGNED PAmnt-by: NV-MNT-RIPEcreated: 2011-02-17T09:16:56Zlast-modified: 2011-02-17T09:16:57Zsource: RIPEperson: Nana 10 LTDaddress: 1 Korazin straddress: Givataim, Israel, 53583mnt-by: NV-MNT-RIPEphone: +972-73-7992000fax-no: +972-73-7992220e-mail: email@example.com: NV6695-RIPEcreated: 2010-08-04T09:51:11Zlast-modified: 2011-02-17T09:01:21Zsource: RIPE% Information related to '18.104.22.168/16AS1680'route: 22.214.171.124/16descr: 013 Netvision Networkorigin: AS1680mnt-by: NV-MNT-RIPEcreated: 1970-01-01T00:00:00Zlast-modified: 2009-03-26T10:55:12Zsource: RIPE
NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.
NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.
Can I submit malware to NCCIC? Malware samples can be submitted via three methods:
NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.
August 9, 2018: Initial version