COURT DOC: DoJ Announces Court-Authorized Efforts to Map & Disrupt Botnet Used by North Korean Hackers

The Justice Department today announced an extensive effort to map and further disrupt, through victim notifications, the Joanap botnet a global network of numerous infected computers under the control of North Korean hackers that was used to facilitate other malicious cyber activities. This effort targeting the Joanap botnet follows charges unsealed last year in which the United States charged a North Korean citizen, Park Jin Hyok, a member of a conspiracy backed by the North Korean government that carried out numerous computer intrusions. Those charges alleged that the conspiracy utilized a strain of malware, ‘Brambul,’ which was also used to propagate the Joanap botnet.

Joanap malware targeted computers running the Microsoft Windows operating system and is used to gain access to and maintain infrastructure from which the hackers can carry out other malicious cyber activities. Joanap is a second stage malware, one that is often ‘dropped’ by the automated Brambul ‘worm’ that crawls from computer to computer, probing whether it can gain access using certain vulnerabilities. Once installed on an infected computer, Joanap would allow the North Korean hackers to remotely access infected computers, gain root level (or near-total) access to infected computers, and load additional malware onto infected computers.

Computers infected with Joanap known as ‘peers’ or ‘bots’ became part of a network of compromised computers known as a botnet. Like other botnets, Joanap was designed to operate automatically and undetected on victims computers. Joanap uses a decentralized peer-to-peer communication system, rather than a centralized mechanism to communicate with and control the peers, such as a command-and-control domain. (Source: U.S. Department of Justice)