Hidden Cobra – Joanap Backdoor Trojan And Brambul Server Message Block Worm
According to reporting of trusted third parties, Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors.
Like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes. Each malware tool has different purposes and functionalities.
Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments.
Technical Details
Joanap
Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include
- file management,
- process management,
- creation and deletion of directories, and
- node management.
Analysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with HIDDEN COBRA actors. Once installed, the malware creates a log entry within the Windows System Directory in a file named mssscardprv.ax. HIDDEN COBRA actors use this file to capture and store victims’ information such as the host IP address, host name, and the current system time.
Brambul
Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.
Analysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured network shares. Once the malware establishes unauthorized access on the victim’s systems, it communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information includes the IP address and host name—as well as the username and password—of each victim’s system. HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol.
Analysis of a newer variant of Brambul malware identified the following built-in functions for remote operations:
- harvesting system information,
- accepting command-line arguments,
- generating and executing a suicide script,
- propagating across the network using SMB,
- brute forcing SMB login credentials, and
- generating Simple Mail Transport Protocol email messages containing target host system information.
Hosts And IP’s To Block
181.1.253.234
200.82.62.24
81.243.151.226
81.247.219.196
138.204.211.197
177.221.11.176
177.221.11.233
177.41.74.199
179.107.219.90
187.127.112.60
187.127.115.206
189.15.173.106
103.227.174.79
146.88.205.56
113.57.34.213
117.179.224.33
181.234.231.152
190.60.109.166
196.204.141.76
196.221.41.109
1.186.218.107
103.71.212.72
106.51.226.188
114.79.191.185
117.213.169.79
117.213.170.132
117.213.170.252
117.214.92.199
117.254.85.138
123.201.161.60
157.49.171.35
202.142.71.166
49.206.100.19
49.206.105.206
59.92.69.202
59.92.69.23
59.92.69.254
59.92.69.51
59.92.70.122
59.92.70.162
59.92.70.164
59.95.151.28
59.97.22.192
61.3.239.224
2.182.31.181
2.182.31.195
2.182.31.84
2.187.201.47
82.212.93.217
110.36.226.146
203.130.24.202
176.45.234.206
176.45.248.239
176.47.60.110
188.49.198.65
188.54.209.88
188.54.251.115
5.156.110.212
5.156.137.47
51.235.186.186
90.148.206.252
95.184.0.49
95.218.39.84
2.137.162.251
124.43.35.86
124.43.39.105
124.43.41.213
124.43.41.48
124.43.42.30
90.236.254.71
1.160.139.122
1.169.112.88
1.170.194.142
111.253.145.11
111.255.198.92
114.26.231.136
114.36.15.80
114.36.3.66
114.39.179.133
114.46.75.51
122.121.9.203
36.229.45.69
36.231.179.65
36.231.36.64
36.235.81.169
36.238.65.99
41.224.255.67
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.