HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

Hunt Hypothesis

The HIDDEN COBRA detection rule identifies potential command and control activity associated with North Korea’s DDoS botnet infrastructure, leveraging unusual network traffic patterns and encrypted communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of botnet compromise and mitigate potential large-scale DDoS attacks.

YARA Rule

rule apt_hiddencobra_binaries {

meta:

    description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure" 
    author = "US-CERT"
    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"

strings:

   $STR1 = "Wating" wide ascii

   $STR2 = "Reamin" wide ascii

   $STR3 = "laptos" wide ascii

condition: 
    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task using task scheduler or cron is running a script that includes the string “cobra” in its name or log output.
  Filter/Exclusion: Exclude events where the process is associated with task scheduler or cron and the command line includes known maintenance scripts (e.g., maintenance_script.sh, sys_cleanup.bat).

• Scenario: Log Analysis Tool Parsing Logs
  Description: A log analysis tool like ELK Stack or Splunk is parsing system logs and the term “cobra” appears in log entries due to a misconfigured regex or keyword filter.
  Filter/Exclusion: Exclude events where the source is a log analysis tool (e.g., source_type = "syslog", source = "splunk") or where the event is tagged as log_analysis.

• Scenario: Admin Performing DNS Configuration via PowerShell
  Description: An administrator is using PowerShell to configure DNS settings, and the script includes the word “cobra” as part of a variable or comment for documentation purposes.
  Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes dns_config.ps1 or similar scripts used for administrative tasks.

• Scenario: Backup Job Using Cobalt Strike (False Positive)
  Description: A backup job is using a tool named “Cobalt Strike” (a legitimate security tool) and the name is being misinterpreted as part of the HIDDEN COBRA botnet.
  Filter/Exclusion: Exclude events where the process is cobaltstrike.exe or where the command line includes --backup or --restore flags.

• Scenario: Network Monitoring Tool Generating Alerts
  Description: A network monitoring tool like `Wireshark