FBI Mapping ‘Joanap Malware’ Victims in an Effort to Disrupt North Korea’s Botnet

The United States Department of Justice (DoJ) announced on Wednesday its efforts to “map and further disrupt” a North Korean-affiliated botnet that has infected numerous Microsoft Windows computers worldwide over the past decade.

Joanap is believed to be a component of “Hidden Cobra,” a group of Advanced Persistent Threat (APT) actors also known as Lazarus Group and Guardians of Peace and supported by the North Korean government.

Hidden Cobra is the same hacking group that has been linked to the WannaCry ransomware threat in 2016, the SWIFT Banking attack in 2016, and the Sony Pictures Entertainment hack in 2014.

Joanap, a remote access tool (RAT) that dates back to 2009, infects a victim’s system with the assistance of the SMB worm Brambul, which spreads by brute-forcing Windows Server Message Block (SMB) file-sharing services using a list of common passwords.

Once there, Brambul downloads Joanap onto infected Windows computers, effectively opening a backdoor for its masterminds and granting them remote control over the infected Windows computer network.

If You Want to Beat Them, Join Them First

Peer-to-peer (P2P) communications infrastructure, making every infected computer a part of its command and control system, is utilized by the Joanap botnet.

Even though Joanap is currently being detected by numerous malware protection systems, including Windows Defender, the malware’s peer-to-peer (P2P) communications infrastructure still connects a large number of infected computers to the Internet.

In order to identify infected hosts and shut down the botnet, the FBI and the Air Force Office of Special Investigations (AFOSI) obtained legal search warrants that allowed them to join the botnet by creating and running “intentionally infected” computers mimicking its peers in order to collect both technical and “limited” identifying information in an attempt to map them, according to a press release from the Department of Justice.

U.S. Attorney Nicola T. Hannn stated, “While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet.”

“The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cybercriminals from using botnets to launch destructive computer intrusions.”
The IP addresses, port numbers, and connection timestamps collected from computers infected with the Joanap malware allowed the FBI and AFOSI to create a map of the current Joanap botnet.

The agencies are now notifying victims of the presence of Joanap on their infected computers via their Internet Service Providers (ISPs) and even sending personal notifications to individuals whose systems are not protected by a router or firewall.

The US Department of Justice and FBI will also coordinate the notification of overseas victims of the Joanap malware by sharing the relevant information with foreign governments.

After the United States unsealed charges against a North Korean computer programmer named Park Jin Hyok in September of last year for his role in masterminding the Sony Pictures and WannaCry ransomware attacks, efforts to disrupt the Joanap botnet were initiated.

Joanap and Brambul were recovered from the computers of victims of the campaigns listed in Hyok’s September indictment, indicating that he assisted in the creation of the Joanap botnet.