The Justice Department on Wednesday announced what it called “an extensive effort” to map and further disrupt, through victim notifications, the Joanap botnet – a global network of numerous infected computers under the control of North Korean hackers that was used to facilitate other malicious cyber activities.
This effort targeting the Joanap botnet follows charges unsealed last year in which the United States charged a North Korean citizen, Park Jin Hyok, a member of a conspiracy backed by the North Korean government that carried out numerous computer intrusions. Those charges alleged that the conspiracy utilized a strain of malware, “Brambul,” which was also used to propagate the Joanap botnet.
Joanap malware targeted computers running the Microsoft Windows operating system and is used to gain access to and maintain infrastructure from which the hackers can carry out other malicious cyber activities. Joanap is a “second stage” malware, one that is often “dropped” by the automated Brambul “worm” that crawls from computer to computer, probing whether it can gain access using certain vulnerabilities.
Once installed on an infected computer, Joanap would allow the North Korean hackers to remotely access infected computers, gain root level (or near-total) access to infected computers, and load additional malware onto infected computers.
Computers infected with Joanap — known as “peers” or “bots” — became part of a network of compromised computers known as a botnet. Like other botnets, Joanap was designed to operate automatically and undetected on victims’ computers.
Joanap uses a decentralized peer-to-peer communication system, rather than a centralized mechanism to communicate with and control the peers, such as a command-and-control domain.
“Computers around the world remain infected by a botnet associated with the North Korean Regime,” said Assistant Attorney General Demers. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data.”
“Our efforts have disrupted state-sponsored cybercriminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” said U.S. Attorney Hanna. “While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet.”