US LEA’s Taking Steps To Eradicate Joanap



The United States is taking steps to dismantle the Joanap botnet, which was developed and controlled by the North Koreans from 2009. Now the US justice department is looking to decimate the botnet malware that is linked to the North Korean hackers.

Joanap is said to be a part of HIDDEN COBRA an ADVANCED PERSISTENT THREAT group often known as the Lazarus Group and Guardians of Peace that are supported by the North-Korean government.

The group has been involved in numerous cyber-attacks like The SWIFT banking attack and WannaCry ransomware attack that took place in 2016 and as well the Sony picture attack in 2014.


Joanap is a RAT (Random Access Tool) that lands on a victims system by the help of an SMB worm that was called Brambul, which goes from one system to another by Windows Server Message Block (SMB) file-sharing services by the method of brute forcing.

Once Brambul downloads joanap on an accessed windows system. After which a backdoor is generated in the infected system. The attackers can get remote system access when needed.

Joanap doesn’t take orders from the command and control server but rather corresponds with the P2P (peer to peer) communication infrastructure. Systems that are infected and are a part of the Command and control.

Although Joanap is being blocked by multiple anti malware protection systems, however regardless of that many infected computers are still effected with the malware.

The U.S justice department on Wednesday announced that it will take the necessary steps to map out the Malware in a press release.

“While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet,” said U.S. Attorney Nicola T. Hanna.

“The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cybercriminals from using botnets to stage damaging computer intrusions.”

 To eradicate this malware the LEA’s have deployed operating servers that mimic the peers in the botnet environment to show itself to the botnet as an infected system. From this method the LEA’s can understand and study the botnet to locate the accurate and main C&C from where the malware is spreading.

The study regarding the malware shows that IP addresses, port numbers, and connection timestamps were being recorded with the LEA’s that they could map the malware.

Joanap has been infecting systems in the US since 2009. Including Media, financial institutes and critical infrastructures.

Agencies are informing infected system owners with the malware through their local internet service providers. If the malware is in other countries the US government will inform them as well that the malware can be eradicated.


Please enter your comment!
Please enter your name here