The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Defense have provided new and updated information on malicious cyber activity by the North Korean government. In six new Malware Analysis Reports (MARs), these agencies discuss and provide technical information for Trojan malware variants used by the North Korean government. The new Trojan malware variants include BISTROMATH, SLICKSHOES, HOTCROISSANT, ARTFULPIE, BUFFETLINE, and CROWDEDFLOUNDER. There is also an updated MAR for HOPLIGHT, which was initially reported on last year. In addition to malware descriptions related to HIDDEN COBRA, the MARs contain suggested response actions and recommended mitigation techniques. The MARs encourage users or administrators to flag and report activity they describe to CISA (online reporting form, CISAservicedesk@cisa.dhs.gov, or 1-888-282-0870) or the FBI CyWatch (cywatch@fbi.gov or 1-855-292-3937), and give the activity the highest priority for enhanced mitigation. Read the MARs at CISA.

What's in a MAR?

MARs provide technical details and analysis on observed cyber threat activity. While MARs provide in-depth technical analysis on malware files being considered new or evolving threats, MARs do not necessarily indicate the creation of new malware, as in many cases these files were created years prior and have significant antivirus detection. The importance of a MAR is to provide awareness and technical details to network defenders about currently observed adversary activity. For optimal network detection capability, MARs are best processed through automated indicator sharing platforms; however, they are also useful for proactive threat hunting. MARs are designed to be used in defense of networks and often include descriptions of the malware files and details from analysis and indicators of compromise (IOCs) such as command-and-control call backs, hardcoded IP address for malicious infrastructure, and file hashes. Behavioral indicators, antivirus detections, and YARA rules are often included for implementing detection within network environments. Each MAR includes suggested response actions and recommended mitigation techniques. Furthermore, IOCs from MARs are automatically incorporated into the WaterISAC Community in Perch for network detection. WaterISAC members using Perch automatically benefit from this automated indicator sharing within their environment.