The U.S. Justice Department launched a campaign to disrupt the Joanap botnet – a global network of infected computers under the control of North Korean hackers that are used to facilitate cyberattacks.
This effort follows charges in which a North Korean citizen, Park Jin Hyok, backed by the North Korean government, carried out numerous computer intrusions. They were charged with using a strain of malware called “Brambul,” which was also used to propagate the Joanap botnet.
“Computers around the world remain infected by a botnet associated with the North Korean Regime,” Assistant Attorney General for National Security John Demers said. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”
Joanap malware targeted computers on the Microsoft Windows operating system. It is used to gain access to the computer’s infrastructure and allow hackers to carry out malicious cyber activities. Joanap is a “second stage” malware that crawls from computer to computer, probing whether it can gain access using certain vulnerabilities. Once installed on an infected computer, Joanap would allow the North Korean hackers to remotely access infected computers and load additional malware onto infected computers.
“Our efforts have disrupted state-sponsored cybercriminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” said U.S. Attorney Nicola Hanna said. “While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet. The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cybercriminals from using botnets to stage damaging computer intrusions.”
The malware is designed not to be detected by the users. Computers infected with Joanap became part of a network of compromised computers known as a botnet.
“Through technical means and legal process, the FBI continually seeks to disrupt the malicious cyber activities of North Korean cybercriminals, as in this case, and all cyber actors who pose a threat to the United States and our international partners,” Assistant Director in Charge (ADIC) Paul Delacourt of the FBI’s Los Angeles Field Office and the U.S. Air Force Office of Special Investigations said. “We urge computer users to take precautions, such as updating their software and utilizing antivirus, in order to avoid being victimized by this type of malware.”
To combat it, the FBI pretended to be infected peers in the botnet and collected limited identifying and technical information about other peers infected. They then created a map of infected users. The government is notifying victims in the United States of the presence of Joanap on an infected computer.
The officials said that Windows Defender Antivirus and Windows Update will remediate and prevent infections by Joanap. A number of antivirus programs are also already capable of detecting and removing Joanap and Brambul, including the Microsoft Safety Scanner, a free product.