Crouching Siberian Tiger, Hidden Cobra

Unless you were tasked with writing a blog involving North Korea, you probably would never know that the ‘unofficial’ national animal of North Korea is a winged horse called a Chollima.

Imagine our joy when we discovered that the Siberian Tiger is also a national symbol of the region gifting us with a passable blog title. It has been mentioned to us (by an undisclosed government source) that the tigers are probably crouching because most of the North Korean ones have been eaten, used for aphrodisiac purposes or both (eeek).

Yes folks this week has brought us news that The Hidden Cobra Group (also known as The Lazarus Group and Guardians of Peace, very greedy), threat actors of The North Korean State (or so we are told) have been up to yet more badness, deploying Remote Access Trojan (RAT) software, left right and centre targeting media, aerospace, financial, and critical infrastructure sectors internationally.

The badness comes via three different, but linked methods, each with their own sinister names (mwahaha). You all know how we love a malware with its own name:

  • DeltaCharlie (DDoS Botnet Infrastructure)
  • FALLCHILL (Remote Administration Tool)
  • Volgmer (Trojan)

The details of these naughty malwares are explained in the following US-CERT advisories:


The advisories include everything you might expect, including Indicators Of Compromise (IOCs) in the shape of IP Addresses, which may be linked to these attacks.

If you are an ITC NetSure360° managed services customer we have added these IOCs to our platforms and looked at all logs retrospectively for malicious activity.

If you are not an ITC managed services customer, we recommend that you do what you can with the IOCs and your logs, remembering that there is considerable overlap with these IP addresses and those used in other attacks – we are struggling to find unique Hidden Cobra IOCs in the list at this point.

In other news this week, you may have seen it reported that hackers are using RDP servers open to the Internet for the purposes of distributing malware.

Actually we know this has been happening for some time, in fact some friends of ours (NOT CUSTOMERS, AHEM) left an RDP server open on the Internet to allow a third party to manage some printers in their offices. The password they chose was unbelievably foolish (started with a P, ended with D123) and the inevitable came to pass.

If you have RDP servers connected directly to the Internet, please take them off the Internet, put them behind a firewall and mandate VPN access and 2 factor authentication. Or have your heads examined.

If you would like to discuss Crouching Tigers, Hidden Cobras, the insanity of Internet facing RDP servers, would like a copy of our full advisory notice or anything else security related, please contact us at: [email protected] or call 0207 517 3900.