North Korean Trojan Activity

Three new trojans, BANKSHOT, HARDRAIN and BADCALL, have been identified as being created and operated by the advanced persistent threat group, HIDDEN COBRA (Lazarus Group, Guardians of Peace).

Threat ID:: CC-2050
Category:: Trojan
Threat Severity:: Medium
Threat Vector:
Published:: 15 February 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Three new trojans, BANKSHOT, HARDRAIN and BADCALL, have been identified as being created and operated by the advanced persistent threat group, HIDDEN COBRA (Lazarus Group, Guardians of Peace).

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions
Google Android - All versions

Threat details

BANKSHOT consists of a number of proxy application tools intended to disguise command and control (C2) communications. Also included are two remote access trojan (RAT) tools designed to install the proxy applications.

HARDRAIN is two 32-bit Windows executables that function as proxy servers to mask the C2 communications of the third file, an Executable Linkable Format file designed as an Android-based RAT.

BADCALL appears similar to HARDRAIN except it uses an Android Package Kit file to store and execute the RAT.

At present, attack vectors for these threats are unknown. This article will be updated as and when information becomes available.

For further information:

Remediation advice

To prevent and detect a trojan infection, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from infected machines should be reset on a clean device.

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from infected machines should be reset on a clean device.

Last edited: 5 November 2020 2:34 pm