CISA identifies malware from North Korean hacking group

The Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the FBI and Department of Defense, identified three new variants of malware used by a state-sponsored North Korean hacking group.

The three malware variants are known as Copperhedge, Pebbledash and Taintedscribe; Copperhedge is a remote access tool, and the latter two are Trojans. CISA attributed the malware to Hidden Cobra (AKA Lazarus Group), which is credited with much of the nation's malicious state-sponsored activity, including Copperhedge, Pebbledash and Taintedscribe.

The CISA alert did not specify how the malware variants were being used by nation-state hackers, or what entities were being targeting, but the agency did say the malware was being used in current threat activity.

"[The] FBI has high confidence that Hidden Cobra actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation," the CISA malware analysis report said.

U.S. Cyber Command put the malware samples of all three variants on VirusTotal, a website and tool for file and URL analysis, so that other organizations and enterprises can analyze and block them. The CISA alert urged users and administrators to review the samples in VirusTotal, as well as CISA's malware analysis reports, to better defend themselves against the threats.

North Korea has a history of malicious cyber activity, which includes notable exploits such as the 2014 Sony Pictures hack and the 2013 Dark Seoul attacks. Much of its reported malware has consisted of Trojans, but other types of malware are represented as well, such as proxy malware, worms, the WannaCry ransomware and more.

A CISA representative declined to comment further on the alert.