Threat Coverage

Jun 21, 2018

Hacker’s Playbook Updated with Methods for BADCALL


SafeBreach Labs has updated the Hacker’s Playbook™ with simulations for new attacks described in US-CERT Malware Analysis Report (MAR) – 10135536-G, attributed to North Korean Hidden Cobra actors.

This malware, dubbed BADCALL, turns victim Windows machines into relay points for encrypted traffic (a technique often called “Fake TLS”). Once compromised, attackers can use encrypted sessions to both access infected machines, and use those machines as relay points to obfuscate the origin point of malicious traffic.

SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they are protecting against this campaign. As always, SafeBreach LaauthorPicture2.pngbs will continue to monitor the situation, and develop new simulations as necessary.

To assess security control effectiveness against techniques involved in this attack, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Playbook #1484 – Transfer of BADCALL

  • Network Controls – Are security controls in place to prevent the initial download of the infection malware used in this attack?

Playbook #1485 – Transfer of BADCALL

  • Network Controls – Are security controls in place to prevent the lateral transfer of the infection malware used in this attack?

Playbook #1486 – Local installation of BADCALL

  • Endpoint Controls – Are security controls in place to prevent the local deployment of the infection malware used in this attack?

The Safebreach Hacker’s Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.

Get the latest
research and news