DeltaCharlie

In a US-CERT report released yesterday afternoon, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published IOCs about a malware family known as DeltaCharlie, used by North Korea to create its private DDoS botnet.

This malware is not particularly new, being mentioned in the Operation Blockbuster report released in February 2016, but the DHS and FBI have compiled a list of IP addresses known to be affiliated or infected by this bot, along with YARA rules that will help companies and professionals add detection rules.

Correlating data from the DHS and FBI report released yesterday and the Operation Blockbuster write-up, we know now that DeltaCharlie is the third DDoS bot developed by the hacking crew known as Lazarus Group (aka Guardians of Peace), known to be operating out of North Korea under the local government's protection. The DHS and FBI track this group as HIDDEN COBRA.

The other two are DeltaAlfa and DeltaBravo.

Delta* malware family

In the past eight years, these three malware families have been used to carry out a series of DDoS attacks, later attributed to the Lazarus Group.

July 2009 - A large-scale DDoS attack on US and South Korean websites
March 2011 - “Ten Days of Rain” attack targets South Korean media, financial, and critical infrastructure targets. Compromised computers within South Korea are used to launch DDoS attacks.
April 2011 - DDoS attack ta rgets Nonghyup Bank.

DeltaCharlie can launch DNS, NTP, and CHARGEN DDoS attacks

At the technical level, DeltaCharlie is a DDoS bot that can launch Domain Name System (DNS) DDoS attacks, Network Time Protocol (NTP) DDoS attacks, and Character Generation Protocol (CHARGEN) DDoS attacks.

The DDoS bot operates on infected computers as a svchost-based service and can also download other executables, update its configuration, update itself, terminate terminating its own processes, and start/stop DDoS attacks.

The DHS and FBI say this malware has been used to target and attack the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.

"HIDDEN COBRA IOCs related to DeltaCharlie are provided within the accompanying .csv and .stix files of this alert," US-CERT said in the joint report yesterday. "DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization."

Although no new DDoS attacks have been spotted that can be attributed to this malware, the purpose of this report is to raise awareness to North Korea's cyber-weapons and cripple their capabilities.