The Justice Department today announced an effort to map and further disrupt the Joanap botnet – a global network of numerous infected computers under the control of North Korean hackers that was used to facilitate other malicious cyber activities.
This effort targeting the Joanap botnet follows charges unsealed last year in which the United States charged a North Korean citizen, Park Jin Hyok, a member of a conspiracy backed by the North Korean government that carried out numerous computer intrusions. Those charges alleged that the conspiracy utilized a strain of malware, “Brambul,” which was also used to propagate the Joanap botnet.
Joanap malware targeted computers running the Microsoft Windows operating system and is used to gain access to and maintain infrastructure from which the hackers can carry out other malicious cyber activities. Joanap is a “second stage” malware, one that is often “dropped” by the automated Brambul “worm” that crawls from computer to computer, probing whether it can gain access using certain vulnerabilities. Once installed on an infected computer, Joanap would allow the North Korean hackers to remotely access infected computers, gain root level (or near-total) access to infected computers, and load additional malware onto infected computers.
Computers infected with Joanap — known as “peers” or “bots” — became part of a network of compromised computers known as a botnet. Like other botnets, Joanap was designed to operate automatically and undetected on victims’ computers. Joanap uses a decentralized peer-to-peer communication system, rather than a centralized mechanism to communicate with and control the peers, such as a command-and-control domain.
In order to address that distinct feature, a court order and search warrant was obtained. The search warrant allowed the FBI and AFOSI to operate servers that mimicked peers in the botnet. By pretending to be infected peers, the computers operated by the FBI and AFOSI under the authority of the search warrant and order collected limited identifying and technical information about other peers infected with Joanap (i.e., IP addresses, port numbers, and connection timestamps). This allowed the FBI and AFOSI to build a map of the current Joanap botnet of infected computers.
Using the information obtained from the warrant, the government is notifying victims in the United States of the presence of Joanap on an infected computer. The FBI is both notifying victims through their Internet Service Providers and providing personal notification to victims whose computers are not behind a router or a firewall.
The second-stage Joanap botnet and the first-stage Brambul worm have endured since 2009, even though they have been identified in the past and a number of antivirus products defend against them. Many private cyber security research companies have also published analytical reports about Brambul and Joanap.
Joanap targets Microsoft Windows operating systems, but running Windows Defender Antivirus and using Windows Update will remediate and prevent infections by Joanap. A number of free and paid antivirus programs are also already capable of detecting and removing Joanap and Brambul, including the Microsoft Safety Scanner, a free product.