On February 14, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released six (6) new Malware Analysis Reports (MARs) and one (1) updated MAR related to malicious cyber activity from North Korea. Each MAR is designed to enable network defenders to identify and reduce exposure to North Korean government malicious cyber activity. CISA encourages users and administrators to carefully review these MARs for each malware variant listed below.

• February 14, 2020: Malware Analysis Report (10265965-1.v1) – North Korean Trojan: BISTROMATH
• February 14, 2020: Malware Analysis Report (10265965-2.v1) – North Korean Trojan: SLICKSHOES
• February 14, 2020: Malware Analysis Report (10265965-3.v1) – North Korean Trojan: CROWDEDFLOUNDER
• February 14, 2020: Malware Analysis Report (10271944-1.v1) – North Korean Trojan: HOTCROISSANT
• February 14, 2020: Malware Analysis Report (10271944-2.v1) – North Korean Trojan: ARTFULPIE
• February 14, 2020: Malware Analysis Report (10271944-3.v1) – North Korean Trojan: BUFFETLINE
• February 14, 2020: Malware Analysis Report (10135536-8.v3) – North Korean Trojan: HOPLIGHT
  (updates October 31, 2019: Malware Analysis Report (10135536-8) – North Korean Trojan: HOPLIGHT, which updated April 10, 2019: Malware Analysis Report (10135536-8) – North Korean Trojan: HOPLIGHT)

Each MAR includes malware descriptions, suggested response actions, and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

The information contained in these most recent seven (7) MARs, as well as the previous work linked below, is the result of analytic efforts between the U.S. Department of Homeland Security (DHS), the U.S. Department of Defense (DOD), and the FBI to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA.

For additional information on previous HIDDEN COBRA alerts and MARs, please see:

• September 9, 2019: Malware Analysis Report (10135536-21) – North Korean Proxy Malware: ELECTRICFISH
  (updates May 9, 2019: Malware Analysis Report (10135536-21) – North Korean Tunneling Tool: ELECTRICFISH)
• September 9, 2019: Malware Analysis Report (10135536-10) – North Korean Trojan: BADCALL
  (updates February 13, 2018: Malware Analysis Report (MAR-10135536-G) – North Korean Trojan: BADCALL and STIX file for MAR-10135536-G)
• October 2, 2018: Alert TA18-275A – HIDDEN COBRA FASTCash Campaign
• October 2, 2018: Malware Analysis Report MAR-10201537 – HIDDEN COBRA FASTCash-Related Malware
• August 9, 2018: Malware Analysis Report (10135536-17) – North Korean Trojan: KEYMARBLE
• June 14, 2018: Malware Analysis Report (10135536-12) – North Korean Trojan: TYPEFRAME
• May 29, 2018: Alert: (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
• May 29, 2018: Malware Analysis Report (MAR-10135536-3) – HIDDEN COBRA RAT/Worm
• March 28, 2018: Malware Analysis Report (MAR-10135536.11) – North Korean Trojan: SHARPKNOT
  • STIX file for MAR-10135536.11
• February 13, 2018: Malware Analysis Report (MAR-10135536-F) – North Korean Trojan: HARDRAIN
  • STIX file for MAR-10135536-F
• December 21, 2017: Malware Analysis Report (MAR-10135536) – North Korean Trojan: BANKSHOT
  • STIX file for MAR-10135536
• November 14, 2017: Alert (TA17-318A) HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
• November 14, 2017: Alert (TA17-318B) HIDDEN COBRA – North Korean Trojan: Volgmer
• August 23, 2017: Malware Analysis Report (MAR-10132963) – Analysis of Delta Charlie Attack Malware
  • STIX file for MAR-10132963
• June 13, 2017: Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
• May 12, 2017: Alert (TA17-132A) Indicators Associated With WannaCry Ransomware