Skip to main content

US-CERT Alert (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

Low
Published: Tue May 29 2018 (05/29/2018, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: tlp
Product: white

Description

US-CERT Alert (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

AI-Powered Analysis

AILast updated: 07/02/2025, 12:11:40 UTC

Technical Analysis

The US-CERT Alert TA18-149A details the HIDDEN COBRA campaign, attributed to the Lazarus Group, a well-known North Korean state-sponsored threat actor. This campaign involves two primary malware components: the Joanap backdoor Trojan and the Brambul Server Message Block (SMB) worm. Joanap functions as a backdoor, enabling remote control over infected systems, facilitating data exfiltration, and allowing the attacker to execute arbitrary commands. Brambul is a worm that propagates via the SMB protocol by leveraging brute force attacks against weak or default credentials to spread laterally within networks. The Lazarus Group employs various tactics including remote file copy, brute force attacks, use of connection proxies, command-line interface execution, and system information discovery to maintain persistence, evade detection, and expand their foothold. Although the alert classifies the severity as low, the combination of a stealthy backdoor and a worm capable of rapid lateral movement presents a significant threat. The campaign does not rely on zero-day vulnerabilities but exploits common weaknesses such as poor credential hygiene and unpatched SMB services. No known exploits in the wild are reported beyond these malware tools. The threat level and analysis scores indicate moderate confidence in the technical details and threat actor attribution.

Potential Impact

For European organizations, the HIDDEN COBRA campaign poses a risk primarily through unauthorized access and lateral movement within corporate networks. The Joanap backdoor can compromise confidentiality by enabling data theft and espionage, while Brambul's worm capabilities threaten availability by potentially causing network congestion or service disruption through rapid propagation. The use of brute force attacks against SMB services highlights the risk to organizations with weak password policies or exposed SMB ports. Given the Lazarus Group's history of targeting financial institutions, critical infrastructure, and government entities, European sectors such as banking, energy, and public administration could face espionage, data breaches, or operational disruptions. The campaign's stealthy nature complicates detection, increasing the risk of prolonged undetected presence. However, the absence of zero-day exploits and reliance on known attack vectors means that organizations with robust patching and credential management practices are less vulnerable.

Mitigation Recommendations

European organizations should implement targeted measures beyond generic advice: 1) Enforce strong password policies and multi-factor authentication (MFA) especially for SMB and remote access services to mitigate brute force attacks. 2) Disable SMBv1 protocol and restrict SMB traffic to internal networks only, using network segmentation and firewall rules to limit lateral movement. 3) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying anomalous command-line activity and unusual network connections indicative of Joanap backdoor operations. 4) Conduct regular network traffic analysis to detect SMB worm propagation patterns and unauthorized remote file copy activities. 5) Maintain up-to-date patching of operating systems and network devices to close known vulnerabilities exploited by the malware. 6) Implement strict monitoring and alerting on account lockouts and failed login attempts to identify brute force attempts early. 7) Conduct threat hunting exercises focused on indicators of compromise related to Lazarus Group tactics and malware signatures. 8) Educate IT and security teams about the specific behaviors of Joanap and Brambul to improve incident response readiness.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
3
Analysis
2
Original Timestamp
1621849752

Threat ID: 682acdbdbbaf20d303f0be04

Added to database: 5/19/2025, 6:20:45 AM

Last enriched: 7/2/2025, 12:11:40 PM

Last updated: 8/17/2025, 2:50:45 PM

Views: 20

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats