FBI burrowing into North Korea’s big bad botnet

The US has infiltrated, mapped, and poked a stick into the spokes of Joanap: what it claims is a botnet of hijacked Microsoft Windows computers operated by botnet masters in North Korea.

The Feds are also continuing to mess with the globe-spanning network by notifying the owners of the commandeered systems Joanap still controls, years after it was first discovered and in spite of antivirus software being able to fend it off.

The US Department of Justice (DOJ) announced on Wednesday that the effort follows charges, unsealed in September 2018, against a North Korea regime-backed programmer, Park Jin Hyok.

The botnet behind some big baddies

The complaint against Park alleged that he and his co-conspirators used a Server Message Block (SMB) worm commonly known as Brambul to gain unauthorized access to computers, and then used those computers to carry out a mess of big, nasty cyberattacks.

Among them were the global WannaCry ransomware attack of 2017, the 2014 attack on Sony Pictures, and the $81m cyber heist from 2016 that drained Bangladesh’s central bank.

The complaint alleged that Park, a North Korean citizen, was a member of a government-sponsored hacking team known as the “Lazarus Group” and that he worked for a North Korean government front company, Chosun Expo Joint Venture (aka Korea Expo Joint Venture or “KEJV”), to support cyber actions on behalf of the Democratic People’s Republic of Korea (DPRK).

Lazarus Group, also known as Guardians of Peace or Hidden Cobra, is a well-known cybercriminal group. In June 2017, US-CERT took the highly unusual step of sending a stark public warning to businesses about the danger of North Korean cyberattacks and the urgent need to patch old software to defend against them.

It specifically called out Lazarus Group. The alert was unusual in that it gave details, asking organizations to report any detected activity from Lazarus Group/Hidden Cobra/Guardians of Peace to the US Department of Homeland Security (DHS).

Specifically, US-CERT told organizations to be on the lookout for DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as SMB worm malware like WannaCry.

Hidden Cobra, crouching warrants

As US-CERT detailed in a May 2018 alert, the Joanap RAT is a so-called “second-stage” malware that’s often spread by the “first-stage” Brambul malware.

Once installed on a system, Joanap allows what the US claims are its North Korean overlords to remotely access computers, gain root-level access to infected computers, and load additional malware.

Joanap-infected computers – known as peers or bots – then get lassoed into the botnet. The Joanap botnet uses a decentralized peer-to-peer (P2P) setup to communicate, rather than a centralized command-and-control domain. …

… A fact that came into play when getting a court order and search warrant granted by a California court in October, which gave the FBI and the US Air Force Office of Special Investigations (AFOSI) the go-ahead to operate servers that pretended to be peers in the botnet.

That way, the FBI’s imposter peers could collect what prosecutors said was “limited identifying and technical information about other peers infected with Joanap,” including IP addresses, port numbers, and connection timestamps.

The FBI and AFOSI used that information to build a map of the Joanap botnet’s infected computers.

The reason we’re hearing about this now, as opposed to when the warrant was granted in October, is that the court gave the FBI permission to delay service of the warrant until last week, on Wednesday, due to the flight from justice or tampering/destruction of evidence that would very likely have been triggered otherwise.

At any rate, by monitoring the IP addresses of the infected computers that join the network, the Feds could also alert people whose systems have been infected. The victims were, or will be, tipped off via their ISPs or via personal notifications if their computers aren’t behind a firewall or router. For victims outside the US, the Feds are contacting their host countries’ governments, including by using the FBI’s Legal Attachés.

Old, well-known, and still a threat

Even though the botnet was discovered years ago, and even though antivirus software can detect it, there are still computers around the world that remain affected, Assistant Attorney General for National Security John Demers said in the DOJ’s release.

United States Attorney Nicola T. Hanna:

While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet. The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cybercriminals from using botnets to stage damaging computer intrusions.

We’re going to patch-party like it’s 2009

In fact, the second-stage Joanap botnet and the first-stage Brambul worm have been around since 2009, even though they’ll be mopped up by any good antivirus product.

So please, take advantage of the protections that are out there. Ten years later, they’re still necessary.

Paul Delacourt, Assistant Director in Charge of the FBI’s Los Angeles Field Office:

We urge computer users to take precautions, such as updating their software and utilizing antivirus, in order to avoid being victimized by this type of malware.

Sophos products like Sophos Home, Intercept X and XG Firewall will all prevent Joanap infections.