Alert: “DeltaCharlie”

US Authorities Warn of North Korean DDoS Botnet

The Department of Homeland Security and the Federal Bureau of Investigation via United States Computer Emergency Readiness Team (US-CERT) issued a bulletin warning of a new distributed denial-of-service (DDoS) botnet targeting US businesses. It is believed the threat actors are the hacking group “Hidden Cobra”, who are also known as the Lazarus Group. This group is suspected of having strong ties to the North Korean government. Both the FBI and the Department of Homeland Security stated that it appears that businesses within the media, aerospace, financial, and critical infrastructure sectors within the US as well as other international businesses and state organizations.

DeltaCharlie is a variant of other DDoS botnets, called “DeltaAlpha” and “DeltaBravo”. Both US state departments have confirmed with a high level of certainty that the IP addresses used in the latest botnet campaign are those associated with “Hidden Cobra” when launching the attack. It has been confirmed that DeltaCharlie is capable of launching multiple forms of attacks, including the following Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol (CGP) attacks. DeltaCharlie is capable of downloading executables on the infected systems, updating its own binaries, changing its own configuration in real-time, terminating its processes, and activating and terminating DDoS attacks.

DeltaCharlie DDos botnet

DeltaCharlie by no means new

The malware is not new and merely a variation of the groups use of DeltaAlpha and DeltaBravo with the DeltaCharlie variant been discovered by Novetta in 2016. Historically, this latest attack has all the hallmarks of previous campaigns of the group. As with similar attacks dating back to 2009 seemingly at the group's formation, or once they received backing from North Korea, the attacks are geared for exploiting vulnerabilities found in systems running older and unsupported versions of Windows. Alternatively vulnerabilities in Adobe Flash Player are also used to gain a foothold into a targeted system.

The FBI has listed the following as confirmed vulnerabilities are usually exploited by the hacking group:

  • Hangul Word Processor bug (CVE-2015-6585)
  • Microsoft Silverlight flaw (CVE-2015-8651)
  • Adobe Flash Player 18.0.0.324 and 19.x vulnerability (CVE-2016-0034)
  • Adobe Flash Player 21.0.0.197 Vulnerability (CVE-2016-1019)
  • Adobe Flash Player 21.0.0.226 Vulnerability (CVE-2016-4117)

As with many other attacks the simplest way to defend against this attack is to keep systems and software up to date and by insuring network assets behind a firewall.

The FBI and DHS have also listed numerous indicators of compromise, malware descriptions, network signatures, as well as host-based rules. The following have been listed by the FBI and DHS:

Network Signatures

alert tcp any any -> any any (msg:"DPRK_HIDDEN_COBRA_DDoS_HANDSHAKE_SUCCESS"; dsize:6; flow:established,to_server; content:"|18 17 e9 e9 e9 e9|"; fast_pattern:only; sid:1; rev:1;)
alert tcp any any -> any any (msg:"DPRK_HIDDEN_COBRA_Botnet_C2_Host_Beacon"; flow:established,to_server; content:"|1b 17 e9 e9 e9 e9|"; depth:6; fast_pattern; sid:1; rev:1;)

YARA Rules

"strings:
$rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94
A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77
48 EE 6F 4B 9B 53 60 98 45 A5 28 65 8A 0B F8 39
73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2
AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED
39 3F FA D0 AD 3D D9 C5 3D 28 EF 3D 67 B1 E0 68
3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13
B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0}
condition: any of them"

"strings:
$STR1 = "Wating" wide ascii
$STR2 = "Reamin" wide ascii
$STR3 = "laptos" wide ascii
condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 2 of them}"

"strings:
$randomUrlBuilder = { 83 EC 48 53 55 56 57 8B 3D ?? ?? ?? ?? 33 C0 C7 44 24 28 B4 6F 41 00 C7 44 24 2C B0 6F 41 00 C7 44 24 30 AC 6F 41 00 C7 44 24 34 A8 6F 41 00 C7 44 24 38 A4 6F 41 00 C7 44 24 3C A0 6F 41 00 C7 44 24 40 9C 6F 41 00 C7 44 24 44 94 6F 41 00 C7 44 24 48 8C 6F 41 00 C7 44 24 4C 88 6F 41 00 C7 44 24 50 80 6F 41 00 89 44 24 54 C7 44 24 10 7C 6F 41 00 C7 44 24 14 78 6F 41 00 C7 44 24 18 74 6F 41 00 C7 44 24 1C 70 6F 41 00 C7 44 24 20 6C 6F 41 00 89 44 24 24 FF D7 99 B9 0B 00 00 00 F7 F9 8B 74 94 28 BA 9C 6F 41 00 66 8B 06 66 3B 02 74 34 8B FE 83 C9 FF 33 C0 8B 54 24 60 F2 AE 8B 6C 24 5C A1 ?? ?? ?? ?? F7 D1 49 89 45 00 8B FE 33 C0 8D 5C 11 05 83 C9 FF 03 DD F2 AE F7 D1 49 8B FE 8B D1 EB 78 FF D7 99 B9 05 00 00 00 8B 6C 24 5C F7 F9 83 C9 FF 33 C0 8B 74 94 10 8B 54 24 60 8B FE F2 AE F7 D1 49 BF 60 6F 41 00 8B D9 83 C9 FF F2 AE F7 D1 8B C2 49 03 C3 8B FE 8D 5C 01 05 8B 0D ?? ?? ?? ?? 89 4D 00 83 C9 FF 33 C0 03 DD F2 AE F7 D1 49 8D 7C 2A 05 8B D1 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 BF 60 6F 41 00 83 C9 FF F2 AE F7 D1 49 BE 60 6F 41 00 8B D1 8B FE 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FB 2B F9 8B CA 8B C1 C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7C 24 60 8D 75 04 57 56 E8 ?? ?? ?? ?? 83 C4 08 C6 04 3E 2E 8B C5 C6 03 00 5F 5E 5D 5B 83 C4 48 C3 }
condition: $randomUrlBuilder" (As Reported by on US-CERTAlert (TA17-164A))

Unpredictability a key to success

For experts and state officials Hidden Cobra is becoming more than a thorn in the side. The group is suspected of been behind the electronic bank robbery which stole 81 million USD from banks based in Bangladesh which was run through the Federal Reserve Bank in New York. This was just one of numerous attacks targeting banking institutions in at least 18 countries.

Due to crushing economic sanctioned been placed on the hermit kingdom for a variety of reason, not in the least their continued nuclear program for creating nuclear weapons, the country has been ingenious in adopting tactics to get funds often illegally. North Korea’s complete ignoring of international law not to mention standards promoted by the United Nations illustrates that it is not above using tactics normally reserved for the criminal underworld. They have proven to the world that they are willing to do whatever is necessary to fund their nuclear build program and potentially inch the region into another war.

While bank robbery is an extreme way to fund state projects, Hidden Cobra also fights the propaganda war for North Korea. The group is widely believed behind the Sony Pictures hack intended to show North Korea’s displeasure with “The Interview” a movie about trying to assassinate the nation’s dictator, intended to be a comedy. The joke was obviously lost on the nation’s authoritarian leadership.

This makes predicting the group’s future actions near to impossible given the wide range of attacks it has conducted. This unpredictability makes trying to pre-emptively combat further attacks a waste of time. So far the best defence seems to be the one employed by the FBI and DHS by educating the greater public as to the group’s methods.