The United States Department of Justice (DoJ) announced Wednesday its effort to “map and further disrupt” a botnet tied to North Korea that has infected numerous Microsoft Windows computers across the globe over the last decade.Dubbed Joanap, the botnet is believed to be part of “Hidden Cobra”—an Advanced Persistent Threat (APT) actors’ group often known as Lazarus Group and Guardians of Peace and backed by the North Korean government.Hidden Cobra is the same hacking group that has been allegedly associated with the WannaCry ransomware menace in 2016, the SWIFT Banking attack in 2016, as well as Sony Motion Pictures hack in 2014.
Dates back to 2009, Joanap is a remote access tool (RAT) that lands on a victim’s system with the help an SMB worm called Brambul, which crawls from one computer to another by brute-forcing Windows Server Message Block (SMB) file-sharing services using a list of common passwords.Once there, Brambul downloads Joanap on the infected Windows computers, effectively opening a backdoor for its masterminds and giving them remote control of the network of infected Windows computers.If You Want to Beat Them, Then First Join Them
Interestingly, the computers infected by Joanap botnet don’t take commands from a centralized command-and-control server; instead it relies on peer-to-peer (P2P) communications infrastructure, making every infected computer a part of its command and control system.Even though Joanap is currently being detected by many malware protection systems, including Windows Defender, the malware’s peer-to-peer (P2P) communications infrastructure still leaves large numbers of infected computers connected to the Internet.So to identify infected hosts and take down the botnet, the FBI and the Air Force Office of Special Investigations (AFOSI) obtained legal search warrants that allowed the agencies to join the botnet by creating and running “intentionally infected” computers mimicking its peers …

Go to Source


Comments are closed.