Fortinet security report: Vulnerability in MS Word, macOS malware and Korean Hidden Cobra hackers

The US CERT with the Department of Homeland Security and the FBI has published a detailed analysis of the two malware families used by the Hidden Cobra group, which is attributed to the North Korean government. The analysis shows that Joanap (a remote access tool) and Brambul (a worm spread via the SMB protocol) used in attacks is active since at least 2009, and the main victims are organizations from the public media, aviation, finance and public sector. critical infrastructure.

In the publicized IOC (Indicator Of Compromise), the 4731CBAEE7ACA37B596E38690160A749 malware is 4731CBAEE7ACA37B596E38690160A749 . The virus was most often delivered to computers using drive-by downloads and malicious attachments. Used CVE-2017-0199 vulnerability on Microsoft Word, although old, because made public in the last year, gave the opportunity to successfully carry out the attack and the ability to remotely execute the code. A large number of organizations certainly take a little sluggish to update software and systems, which is why hackers from the Hidden Cobra group did not have a big problem to attack in 17 countries (Argentina, Belgium, Brazil, Cambodia, China, Colombia, Egypt, India, Iran, Jordan , Pakistan, Saudi Arabia, Spain, Sri Lanka, Sweden, Taiwan, Tunisia).

Fortinet draws attention to yet another threat that has nothing to do with the Hidden Cobra group, but because of its popularity, it's worth mentioning. And it's about the cryptocurrency excavator on macOS. The application has 3.5MB and installs and runs the " mshelper " program. The program to be installed must have root privileges because it is run by the " com.pplauncher.plist " daemon, so it is suspected that malware can be installed using social engineering / fake software.

If you see the program " com.pplauncher.plist " in the list of running programs, you can remove the malware from the location " /Library/LaunchDaemons/com.pplauncher.plist " and restart the system.

Not so long ago, the ByteCoin excavator was smuggled into the Ubuntu Snap Store, which is why it is worth reviewing the CPU usage, running services and programs and scanning the macOS system for malicious software from time to time.



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.