Brambul

Brambul is a basic computer worm that may have been used in one of Hidden Cobra’s campaigns that target companies and organizations in the aerospace and financial sectors. Malware researchers suspect that the Hidden Cobra APT group originates from North Korea, and one of the primary motives for their attacks is espionage.

The Brambul worm takes advantage of the Windows Server Message Block (SMB) component, which would enable the attackers to identify and target other users on the same network. The SMB component gained media attention in 2018 when the NSA hacking tool leak revealed zero-day tow exploits that target this particular Windows feature. However, the Brambul worm does not make use of the EternalBlue and EternalRomance exploits.

Once the Brambul is activated on a computer, it may use the Server Message Block to identify other IP addresses that are part of the same network. After this, it attempts to brute force their login credentials by using a pre-made list of usernames and passwords. If its attempts end up being successful, it may proceed to create an admin share on the remote computer, and then copy itself to the Windows directory by using the name ‘crss.exe.’ Whenever the Brambul worm is installed on a computer, it gathers system information and sends it to the address whiat1001@gmail.com – the IP address of the compromised system, operating system, IP address of the computer that dropped the worm, and the username and password combination used.

It seems that the Brambul worm might be part of a reconnaissance operation that may help the attackers coordinate their future actions. The basic brute force method that this worm employs is proof of the importance of using strong, non-predictable passwords.