North Korean Remote Access Tool – COPPERHEDGE

This malware variant has been identified as COPPERHEDGE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. 

Copperhedge is a Remote Access Tool that uses the Manuscript family of malware, which is a full-featured RAT, to target cryptocurrency exchanges and related entities.

Manuscrypt is capable of running arbitrary commands, performing system reconnaissance and remove data. The US has described six distinct variants based on network and code features. The different models are categorized based on common code and a common class structure. A symbol remains in some of the implants identifying a class name of “WinHTTP_Protocol” and later “WebPacket”, the report said.

For a downloadable copy of IOCs, see MAR-10288834-1.v1.stix.

Indicators Of Compromise (SHA)

Variant A
D8AF45210BF931BC5B03215ED30FB731E067E91F25EDA02A404BD55169E3E3C3
7985AF0A87780D27DC52C4F73C38DE44E5AD477CB78B2E8E89708168FBC4A882

Variant B
E98991CDD9DDD30ADF490673C67A4F8241993F26810DA09B52D8748C6160A292
4838F85499E3C68415010D4F19E83E2C9E3F2302290138ABE79C380754F97324
E76B3FD3E906AC23218B1FBD66FD29C3945EE209A29E9462BBC46B07D1645DE2
1FAAA939087C3479441D9F9C83A80AC7EC9B929E626CB34A7417BE9FF0316FF7
3FF4EBAE6C255D4AE6B747A77F2821F2B619825C7789C7EE5338DA5ECB375395
C2F150DBE9A8EFB72DC46416CA29ACDBAE6FD4A2AF16B27F153EAABD4772A2A1
1678327C5F36074CF5F18D1A92C2D9FEA9BFAE6C245EAAD01640FD75AF4D6C11
C0EE19D7545F98FCD15725A3D9F0DBD0F35B2091E1C5B9CF4744F16E81A030C5
9E4BD9676BB3460BE68BA4559A824940A393BDE7613850EDA9196259E453B9F3
EEE38C632C62CA95B5C66F8D39A18E23B9175845560AF84B6A2F69B7F9B6EC1C
F6E1A146543D2903146698DA5698B2A214201720C0BE756C6E8D2A2F27DCFAFF

Variant C
37BB27F4EB40B8947E184AFDDBA019001C12F97588E7F596AB6BC07F7C152602
E6FC788B5FF7436DA4450191A003966A68E2A1913C83F1D3AEC78C65F3BA85CA
284BC471647F951C79E3E333B2B19AA37F84CC39B55441A82E2A5F7319131FAC
A1CDB784100906D0AC895297C5A0959AB21A9FB39C687BAF176324EE84095472

Variant D
B4BF6322C67A23553D5A9AF6FCD9510EB613FFAC963A21E32A9CED83132A09BA

Variant E
134B082B418129FFA390FBEE1568BD9510C54BFDD0E6B1F36BC7B8F867E56283

Variant F
0A763DA26A67CB2B09A3AE6E1AC07828065EB980E452CE7D3354347976038E7E
1884DDC53EF66488CA8FC641B438895FCAADA77C15210118465377C63223B3BC
C24C322F4535DEF3F8D1579C39F2F9E323787D15B96E2EE457C38925EFFE2D39

Indicators Of Compromise (Domain Names)

028xmz.com

168wangpi.com

33cow.com

3x-tv.com

51shousheng.com

530hr.com

919xy.com

92myhw.com

97nb.net

aedlifepower.com

aisou123.com

aloe-china.com

anlway.com

ap8898.com

apshenyihl.com

as-brant.ru

aurumgroup.co.id

bogorcenter.com

cabba-cacao.com

castorbyg.dk

creativefishstudio.com

danagloverinteriors.com

duratransgroup.com

eventum.cwsdev3.biz

eygingenieros.com

growthincone.com

inverstingpurpose.com

locphuland.com

markcoprintandcopy.com

marmarademo.com

matthias-dlugi.de

new.titanik.fr

nuokejs.com

pakteb.com

qdbazaar.com

rhythm86.com

rxrenew.us

sensationalsecrets.com

stokeinvestor.com

streamf.ru

theinspectionconsultant.com

vinhsake.com