The HIDDEN COBRA detection rule identifies potential command and control activity associated with North Korea’s DDoS botnet infrastructure, leveraging unusual network traffic patterns and encrypted communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of botnet deployment and mitigate the risk of large-scale DDoS attacks.
YARA Rule
rule apt_hiddencobra_rsakey {
meta:
description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure"
author = "US-CERT"
url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
strings:
$rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94
A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77
48 EE 6F 4B 9B 53 60 98 45 A5 28 65 8A 0B F8 39
73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2
AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED
39 3F FA D0 AD 3D D9 C5 3D 28 EF 3D 67 B1 E0 68
3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13
B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0}
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task using crontab or Task Scheduler runs a script that temporarily spikes network traffic due to large file transfers or backups.
Filter/Exclusion: Exclude traffic originating from known maintenance scripts or processes (e.g., backup.sh, system_cleanup.sh, or Task Scheduler tasks with known execution times).
Scenario: Admin Performing Network Stress Test
Description: A network administrator uses a tool like iperf3 or netperf to conduct a bandwidth stress test, which generates high outbound traffic.
Filter/Exclusion: Exclude traffic from known admin tools (iperf3, netperf, or tcpreplay) or from user accounts with elevated privileges (e.g., root, admin).
Scenario: Log File Syncing via rsync
Description: A scheduled job using rsync synchronizes large log files across servers, causing temporary spikes in outbound traffic.
Filter/Exclusion: Exclude traffic from rsync processes or from known log sync jobs (e.g., rsync /var/log/ /backup/log/).
Scenario: Database Backup Using mysqldump
Description: A database administrator uses mysqldump to perform a full database backup, which results in high outbound traffic.
Filter/Exclusion: Exclude traffic from mysqldump processes or from scheduled backups (e.g., mysqldump --all-databases > backup.sql).
Scenario: Software Update via apt or yum
Description: A system runs a package update using apt or yum, which can cause temporary spikes in outbound traffic due to downloading large packages.
Filter/Exclusion: Exclude traffic from package managers (apt, `