The US has infiltrated, mapped, and poked a stick into the spokes of Joanap: what it claims is a botnet of hijacked Microsoft Windows computers operated by botnet masters in North Korea.

The Feds are also continuing to mess with the globe-spanning network by notifying the owners of the commandeered systems Joanap still controls, years after it was first discovered and in spite of antivirus software being able to fend it off.

The US Department of Justice (DOJ) announced on Wednesday that the effort follows charges, unsealed in September 2018, against a North Korea regime-backed programmer, Park Jin Hyok.

The botnet behind some big baddies

The complaint against Park alleged that he and his co-conspirators used a Server Message Block (SMB) worm commonly known as Brambul to gain unauthorized access to computers, and then used those computers to carry out a mess of big, nasty cyberattacks.

Among them were the global WannaCry ransomware attack of 2017, the 2014 attack on Sony Pictures, and the $81m cyber heist from 2016 that drained Bangladesh’s central bank.

The complaint alleged that Park, a North Korean citizen, was a member of a government-sponsored hacking team known as the “Lazarus Group” and that he worked for a North Korean government front company, Chosun Expo Joint Venture (aka Korea Expo Joint Venture or “KEJV”), to support cyber actions on behalf of the Democratic People’s Republic of Korea (DPRK).

Lazarus Group, also known as Guardians of Peace or Hidden Cobra, is a well-known cybercriminal group. In June 2017, US-CERT took the highly unusual step of sending a stark public warning to businesses about the danger of North Korean cyberattacks and the urgent need to patch old software to defend against them.

It specifically called out Lazarus Group. The alert was unusual in that it gave details, asking organizations to report any detected activity from Lazarus Group/Hidden Cobra/Guardians of Peace to the US Department of Homeland Security (DHS).

Specifically, US-CERT told organizations to be on the lookout for DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as SMB worm malware like WannaCry.

Hidden Cobra, crouching warrants

As US-CERT detailed in a May 2018 alert, the Joanap RAT is a so-called “second-stage” malware that’s often spread by the “first-stage” Brambul malware.

Once installed on a system, Joanap allows what the US claims are its North Korean overlords to remotely access computers, gain root-level access to infected computers, and load additional malware.

Joanap-infected computers – known as peers or bots – then get lassoed into the botnet. The Joanap botnet uses a decentralized peer-to-peer (P2P) setup to communicate, rather than a centralized command-and-control domain. …

… A fact that came into play when getting a court order and search warrant granted by a California court in October, which gave the FBI and the US Air Force Office of Special Investigations (AFOSI) the go-ahead to operate servers that pretended to be peers in the botnet.

That way, the FBI’s imposter peers could collect what prosecutors said was “limited identifying and technical information about other peers infected with Joanap,” including IP addresses, port numbers, and connection timestamps.

The FBI and AFOSI used that information to build a map of the Joanap botnet’s infected computers.

The reason we’re hearing about this now, as opposed to when the warrant was granted in October, is that the court gave the FBI permission to delay service of the warrant until last week, on Wednesday, due to the flight from justice or tampering/destruction of evidence that would very likely have been triggered otherwise.