FacebookTwitterLinkedIn

US Authorities Move to Shutdown Joanap Botnet

Karolis Liucveikis Written by on

It is no secret that the US faces many cybersecurity threats to national and business interests. With government workers returning to jobs after a lengthy government shutdown over President Trump’s planned border wall the true cost of how the shutdown impacted cybersecurity can be calculated. However, not all government bodies were completely hamstrung. In a combined operation between the US Department of Justice (DOJ), the FBI's Los Angeles Field Office and, the US Air Force Office of Special Investigations (AFOSI) announced that operations were underway to take down Joanap, a botnet operated by North Korean hacker groups. On January 30, 2018, the US Department of Justice announced its efforts about the operation which had been active since October 2018. The DOJ provided court documents which included a court order and a search warrant to provide the public with more information.

Based on the documents provided, readers will be provided with a unique insight into how the operation was made possible and conducted. The operation started with the authorities operating servers which mimicked infected computers part of the botnet, and silently mapped other infected hosts. This was made possible purely because of the way the botnet had been constructed. The botnet relies upon peer-to-peer (P2P) communications system where infected hosts relay commands introduced in the botnet's network from one to another, instead of reporting to one central command-and-control server. In its simplest form P2P communication relies on creating a network architecture that partitions tasks or workloads between peers. Peers have equal privileges, it is this fact that was the botnet’s Achilles heel.

After months of mapping the entire botnet the authorities plan to notify victims, directly and through their internet service providers, in an effort to have these systems disinfected, and indirectly disrupt one of North Korea's oldest cyber-weapons. Assistant Attorney General for National Security John Demers summarised the reason and ultimate aim of the operation as follows,

“Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department's efforts to use every tool at our disposal to disrupt national security threat actors.”

Above the Joanap botnet was referred to as one of North Korea’s oldest cyber-weapons. Based on a security alert issued by the Department of Homeland Security the botnet has been active since 2009 and relies on two malware strains to infect other computers. The first strain the botnet is reliant on has been called Brambul a worm which uses brute force attacks to compromise Windows Server Message Block (SMB) services to pass through multiple passwords from a list of common passwords to gain access to the system.

doj to shutdown joanap botnet

If a correct password is found, the malware now has a foothold on the infected computer. It then deploys the second piece of malware, called Joanap as well but is essentially a backdoor to allow the malware to spread to more victims. The backdoor is capable of downloading and uploading files and other malware. Added to this a particularly feature-rich piece of malware can execute files manage local processes, and start a proxy to relay malicious traffic through the infected host. It is of little doubt that the DOJ operation will help further illuminate the shady operations of North Korean groups like Hidden Cobra and further combat future operations. Recent events illustrate US authorities’ dedication to tightening the screws on North Korean hackers but privacy concerns have been raised.

Andrew Crocker, a senior staff attorney at the digital privacy advocacy group Electronic Frontier Foundation, noted that,

“The operation appears fairly sophisticated, describing the technical steps the government will take to ensure the computers it's accessing are actually infected and trying to limit the type of data it collects in order to shut down the botnet and ultimately notify US users who are affected. With that said, these techniques are inherently invasive, both because of the possibility of unintended consequences and because the government is executing searches on many computers whose owners are not accused of any wrongdoing, but which have become infected,”

A Victory for US Authorities?

Even with privacy concerns been raised authorities will undoubtedly feel the operation was a job well done. It will also be felt that this is the result of hard work, starting with the indictment of the person believed to be responsible for the WannaCry ransomware outbreak. According to the 179-page indictment the US believes that Park Jin Hyok, a 34-year-old North Korean, is one of the many individuals behind a long string of malware attacks and intrusions, such as:

  • The WannaCry ransomware outbreak of 2017
  • Attempts of hacking US defense contractor Lockheed Martin in 2016
  • The 2016 Bangladesh Central Bank cyber-heist
  • The breach at Sony Pictures Entertainment in 2014
  • Breaches at US movie theatre chains AMC Theatres and Mammoth Screen in 2014
  • A long string of hacks of South Korean news media organizations, banks, and military entities across several years
  • Hacks of banks all over the world from 2015 through 2018

All of this was announced by the DOJ at the start of September 2018 and represented a significant stepping up of pressure been applied to North Korea. Announcements made recently may just be an indication of greater momentum on the side of the US authorities. This by no means can be seen as the end of Hidden Cobra, they are incredibly resourceful and well versed in the dark arts of cybercrime and espionage. This is not the last time we will hear from the group.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog