The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint malware analysis report (MAR) on a new Trojan dubbed HOPLIGHT, used by the North-Korean APT group Lazarus.
According to the MAR AR19-100A advisory published on the US-CERT website, the new Trojan was detected while tracking the malicious cyber activity of the North Korean-backed hacking group
HIDDEN COBRA (also known as Lazarus, Guardians of Peace, ZINC, and NICKEL ACADEMY).
The AR19-100A advisory was issued by the FBI and the DHS "to enable network defense and reduce exposure to North Korean government malicious cyber activity."
As further detailed in the advisory:
This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
The report published on the US-CERT website contains a detailed analysis of nine executable files found to be infected with Lazarus' HOPLIGHT Trojan malware strain, with seven of them being "proxy applications that mask traffic between the malware and the remote operators."
All these malicious proxies used by the Lazarus group to hide their location are capable of generating "fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors."
The advisory also notes that "One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files."
"When executed the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions," according to the malware analysis.
The HOPLIGHT Trojan comes with the following malware capabilities as detailed in the DHS and FBI joint analysis:
---Begin Malware Capability---
Read, Write, and Move Files
Enumerate System Drives
Create and Terminate Processes
Inject into Running Processes
Create, Start and Stop Services
Modify Registry Settings
Connect to a Remote Host
Upload and Download Files
---End Malware Capability---
The malware is capable of opening and binding to a socket. The malware uses a public SSL certificate for secure communication.
Malware analysis reports are issued by the DHS via US-CERT to "provide organizations with more detailed malware analysis acquired via manual reverse engineering."
Full analysis for each of the nine malicious samples as well as a full list of IOCs are available within the
AR19-100A advisory. The IOCs can also be downloaded as an XML document from
HERE.
source
