COPPERHEDGE
COPPERHEDGE, also known as Manuscrypt, is a piece of malware whose attacks were first observed in 2018. The samples were obtained from compromised computers in South Korea, and the attack was attributed to the Lazarus APT (also known as HIDDEN COBRA), a cybercrime organization backed by the North Korean government. The COPPERHEDGE malware has evolved many times throughout the years, and cybersecurity experts, so far, have identified six different variants of the implant. Most of these variants include the same features, but several of them had additional modules running to enhance their functionality – this might mean that the HIDDEN COBRA hackers are crafting elaborate COPPERHEDGE payloads depending on their target.
Just like other Remote Access Trojans (RATs), COPPERHEDGE also provides its operators with the ability to execute a wide range of actions on the infected host. The North Korean hackers could use the implant to:
- Collect hardware and software information.
- List drive partitions.
- Manipulate the payload's configuration.
- Deliver additional payloads and execute them.
- Exfiltrate files from the infected computer.
- Run remote commands.
- Kill or spawn new processes.
- Self-destruct.
The North Korean Hackers Use Compromised Websites to Set Up their C2 Infrastructure
Another thing that worth noting regarding COPPERHEDGE is that it has one of the largest Command and Control server infrastructures compared to other North Korean campaigns. It seems that the samples are able to choose one of the dozens of hardcoded IP addresses and domains used by the attackers randomly. Naturally, a large fraction of the infrastructure is hosted on legitimate servers whose security was compromised by the hackers previously, and now they are using it for their attacks.
Networks can be protected from threats like the COPPERHEDGE by utilizing up-to-date anti-virus and firewall services, as well as instructing employees to be extra careful with the files they download from the Web. In the case of HIDDEN COBRA, it often relies on bogus email attachments to deliver the payload to their victims.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.