US Warns of 'DeltaCharlie' – A North Korean DDoS Botnet Malware

The United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation.

The joint report from the FBI and U.S. Department of Homeland Security (DHS) provided details on “DeltaCharlie,” a malware variant used by “Hidden Cobra” hacking group to infect hundreds of thousands of computers globally as part of its DDoS botnet network.

According to the report, the Hidden Cobra group of hackers are believed to be backed by the North Korean government and are known to launch cyber attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure.

While the US government has labeled the North Korean hacking group Hidden Cobra, it is often known as Lazarus Group and Guardians of Peace – the one allegedly linked to the devastating WannaCry ransomware menace that shut down hospitals and businesses worldwide.

DeltaCharlie – DDoS Botnet Malware

The agencies identified IP addresses with “high confidence” associated with “DeltaCharlie” – a DDoS tool which the DHS and FBI believe North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.

DeltaCharlie is capable of launching a variety of DDoS attacks on its targets, including Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol (CGP) attacks.

The botnet malware is capable of downloading executables on the infected systems, updating its own binaries, changing its own configuration in real-time, terminating its processes, and activating and terminating DDoS attacks.

However, the DeltaCharlie DDoS malware is not new.

DeltaCharlie was initially reported by Novetta in their 2016 Operation Blockbuster Malware Report [PDF], which described this as the third botnet malware from the North Korean hacking group, after DeltaAlpha and DeltaBravo.

Other malware used by Hidden Cobra include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, including DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.

Hidden Cobra’s Favorite Vulnerabilities

Operating since 2009, Hidden Cobra typically targets systems running older, unsupported versions of Microsoft operating systems, and commonly exploits vulnerabilities in Adobe Flash Player to gain an initial entry point into victim’s machine.

These are the known vulnerabilities affecting various applications usually exploited by Hidden Cobra:

• Hangul Word Processor bug (CVE-2015-6585)
• Microsoft Silverlight flaw (CVE-2015-8651)
• Adobe Flash Player 18.0.0.324 and 19.x vulnerability (CVE-2016-0034)
• Adobe Flash Player 21.0.0.197 Vulnerability (CVE-2016-1019)
• Adobe Flash Player 21.0.0.226 Vulnerability (CVE-2016-4117)
  The simplest way to defend against such attacks is always to keep your operating system and installed software and applications up-to-date, and protect your network assets behind a firewall.

Since Adobe Flash Player is prone to many attacks and just today the company patched nine vulnerability in Player, you are advised to update or remove it completely from your computer.

The FBI and DHS have provided numerous indicators of compromise (IOCs), malware descriptions, network signatures, as well as host-based rules (YARA rules) in an attempt to help defenders detect activity conducted by the North Korean state-sponsored hacking group.

> “If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation,” the alert reads.

Besides this, the agencies have also provided a long list of mitigations for users and network administrators, which you can follow here.