This morning US-CERT published a malware analysis report on a North Korean trojan they call “TYPEFRAME”. The report contains 11 malware samples that targeted Windows machines using executables and a macro-enabled Microsoft Word document. TYPEFRAME appears to have much of the expected functionality of an Advanced Persistent Threat type malware; including connecting to C2 nodes for downloading and installing malware and receiving further instructions, installing a proxy and other Remote Access Trojans, and modifying the victim’s security device rules (usually firewalls) to ensure new malicious incoming connections make it through.
This last point is an important one to consider for security practitioners. In the event that an organization discovers indications of TYPEFRAME on their network, it is critical to also review firewall change logs and ACL’s to see if they have been altered. It is not just sufficient enough to remove the malware and wipe the affected boxes. Simply taking those actions, but not validating the firewalls or other security devices, could leave you open for further exploitation because bad IP addresses could be viewed as trusted by the network.
The North Korean hackers attributed to this malware is the HIDDEN COBRA (HC) hacking group. HC is arguably the most reported hacking group over the last couple of years. They are allegedly behind the DNC hack, WannaCry, Sony Pictures Hack, and many other highly impactful hacking events. It is believed that this group works on behalf of the North Korean government and does their bidding; likely via the military.
At Security On-Demand, we have tasked the indicators of compromise for continuous monitoring and detection. Our SOC and Threat Reconnaissance Unit (TRU) is searching the past 30 days across our customer base and we will notify our customers of communication or other interaction with TYPEFRAME indicators.
We have provided a few of the indicators below, all of them can be found in the US-Cert Report AR18-165A
- 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210 (java.exe)
- 089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359 (midimapper.rs)
- a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6 (laxhost.dll)
- e088c3a0b0f466df5329d9a66ff618de3d468d8a5981715303babb1452631eef (dwnhost.dll)