Try in Splunk Security Cloud


Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Resolution, Network_Traffic
  • Last Updated: 2020-01-22
  • Author: Rico Valdez, Splunk
  • ID: baf7580b-d4b4-4774-8173-7d198e9da335


North Korea’s government-sponsored “cyber army” has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group’s activity, which the US government refers to as “Hidden Cobra,” has surreptitiously crept onto the collective radar as a preeminent global threat. These state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie “The Interview” at the end of 2014. They’re also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking. In June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed “Joanap,” is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, “Brambul,” is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim’s local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations. Among other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, “adnim$,” which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.


Name Technique Type
Create or delete windows shares using net exe Indicator Removal, Network Share Connection Removal TTP
DNS Query Length Outliers - MLTK DNS, Application Layer Protocol Anomaly
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Detect Outbound SMB Traffic File Transfer Protocols, Application Layer Protocol TTP
First time seen command line argument PowerShell, Windows Command Shell Hunting
Remote Desktop Network Traffic Remote Desktop Protocol, Remote Services Anomaly
Remote Desktop Process Running On System Remote Desktop Protocol, Remote Services Hunting
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Anomaly
Suspicious File Write   Hunting


source | version: 2