Recently, the US Department of Justice has announced a high-level hacking organization code-named Cobra, which is often referred to by the technology media as Lazarus. Lazarus has infected many PCs around the world and launched attacks on businesses in the past years, including Sony Pictures and the National Bank of Bangladesh. Lazarus is also considered a North Korean-backed advanced persistent threat (APT) organization, and WannaCry ransomware is also from the organization.
After investigating the source, the US Department of Justice found that Lazarus organizations date back to 2009 when there was a remote access tool called Joanap. The tool is primarily spread-borne in the SMB file-sharing worm, which forces the SMB service to open and continues to infect other computers. The worm is first infected and then loaded with the Joanap remote access tool so that members of the Lazarus organization can connect directly if needed.
A botnet composed mainly of Joanap does not use a remote server but uses P2P peer-to-peer communication as a server and transmission instructions. Therefore, all infected computers will become part of the control server, accepting hacker control and continuing to infect other computers as nodes. In order to conduct a thorough investigation, the US Federal Bureau of Investigation and the Air Force Special Investigation Office obtained a court order allowing these agencies to actively join the botnet.
In fact, the virus has been blocked by anti-virus software, but so many users who do not install anti-virus software will be inadvertently infected with the virus. In this investigation, the US Department of Justice has collected computer information infected with Joanap including IP address, port number, and timestamp information of the connection. With this information, a map of the botnet can be created, and the US Department of Justice provides this information to the operator for the operator to notify the user. In addition to the United States, the US Department of Justice also shared infection data with other countries to notify victims outside the United States to clear the botnet as soon as possible.