TAINTEDSCRIBE

The TAINTEDSCRIBE threat is a piece of malware that appears to be developed by the infamous North Korean APT (Advanced Persistent Threat) known as HIDDEN COBRA. This hacking group also can be referred to as the Lazarus APT. The TAINTEDSCRIBE malware is used for compromising a targeted system silently and providing the HIDDEN COBRA group with backdoor access to the host. The TAINTEDSCRIBE threat also allows the attackers to carry out a wide variety of tasks.

As soon as the TAINTEDSCRIBE threat infects the targeted system, it will mask its payload as a harmless service by using the 'Narrator.exe' name. Users are likely to associate this name with the legitimate Microsoft Narrator tool, which is not likely to raise suspicions. The TAINTEDSCRIBE malware also will gain persistence on the infected host by adding itself to the Windows Startup folder. This will ensure that the TAINTEDSCRIBE threat is executed every time the system is rebooted.

Once the TAINTEDSCRIBE threat has gained persistence on the infected host successfully, it will allow its operators to:

• Send files from the C&C (Command & Control) server to the host.
• Compress files and send them from the host to the C&C server.
• Manage active processes.
• Manage Windows services.
• Open a remote shell.
• List directories and stored files.
• Delete directories and stored files.
• Renew the configuration of the implant.

Malware researchers believe that the TAINTEDSCRIBE threat is used for collecting data from its targets. This hacking tool may be utilized for long-term reconnaissance campaigns. Since the TAINTEDSCRIBE malware is able to wipe out files and whole directories, the HIDDEN COBRA APT may be using it to cause destruction on the infected system.

The TAINTEDSCRIBE malware is likely propagated via carefully crafted phishing emails. The HIDDEN COBRA hacking group is not one to be underestimated. Make sure your computer is protected by investing in a genuine anti-virus software suite.

Details:

Sample: 106d915db61436b1a686b86980d4af16227776fc2048f2888995326db0541438
Name: Narrator.exe
Size: 286720 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 24906e88a757cb535eb17e6c190f371f
SHA1: bda6c036fe34dda6aea7797551c7853a9891de96
SHA256: 106d915db61436b1a686b86980d4af16227776fc2048f2888995326db0541438
SHA512: b02f86d8261875c9eaf2ee9d491bc7a5ed3227c90854060078598a7425b58d096398315144517a9daec6cb3542fe901af434b597692963dec0b8f43615bea58f
ssdeep: 3072:qKhnf91e3YGs53EeY9eDUSGPGrdj+MieMUgUo2n6/rZDS35bb3tiWh6f9FKi4Z+J:xWvsN/Y9eDpjnieMB2BFtQFgZKUV
Entropy: 6.553050

Sample: 2057c0cf4617eab7c91b99975dfb1e259609c4fa512e9e08a311a9a2eb65a6cf
Name: EngineDll.dll
Size: 166400 bytes
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: 3005f1308e4519477ac25d7bbf054899
SHA1: 0cf64de7a635f5760c4684c18a6ad2983a2c0f73
SHA256: 2057c0cf4617eab7c91b99975dfb1e259609c4fa512e9e08a311a9a2eb65a6cf
SHA512: 77b0b20002ab4a175941a81e309ac6771295abee45497ae507d43fcef237dc7f614bac1e9f97086ef22892db5ef895075c63e467347b08d7e5a76dbe226a190f
ssdeep: 3072:jdouAxXKBsOmN7OslJyOmg/wMFOpYop4vdxZdXYGeJavqL:jd3kCsOM5/YY3d9z
Entropy: 6.511161

Sample: 19f9a9f7a0c3e6ca72ea88c655b6500f7da203d46f38076e6e8de0d644a86e35
Name: EngineDll.dll
Size: 166400 bytes
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: 68fa29a40f64c9594cc3dbe8649f9ebc
SHA1: b24f6c60fa4ac76ffc11c2fcee961694aeb2141b
SHA256: 19f9a9f7a0c3e6ca72ea88c655b6500f7da203d46f38076e6e8de0d644a86e35
SHA512: ffca587964d68e3bea67b4add649b06d768457bf49e2db0708996835f0d9da95cc79bcb6640220053632e993fe545e8ca4cd50309bf0d769c515112404b26e6c
ssdeep: 3072:VovrXpvEgEOtXOssvdAeL7Mz81dYFQbEPWgtXJtLNh1jUV46mG:VUDpNyD77YF/+gtHLRj7G
Entropy: 6.512934