Officials at the US Department of Homeland Security (DHS) have issued another warning about North Korean malware, this time a new variant dubbed “Hoplight.”
The backdoor trojan malware is linked to the notorious Hidden Cobra group, also known as the Lazarus Group.
“This artifact is a malicious PE32 executable. When executed the malware will collect system information about the victim machine including OS version, volume information, and system time, as well as enumerate the system drives and partitions,” the alert warned.
“The malware is capable of the following functions: Read, Write, and Move Files; Enumerate System Drives; Create and Terminate Processes; Inject into Running Processes; Create, Start and Stop Services; Modify Registry Settings; Connect to a Remote Host; Upload and Download Files.”
The malware uses a public SSL certificate for secure communications from South Korean web giant Naver, and employs proxies to obfuscate its activity.
“The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors,” the report claimed.
This is the latest in a long line of alerts warning of new North Korean malware, now in the double-digits.
It urges IT teams to follow best practices in cybersecurity including keeping systems and AV tools up-to-date and patched, disabling file and printer sharing, enforcing strong passwords, restricting user permissions, scanning for suspicious email attachments and more.
Experts welcomed the latest report.
“This is the 16th report compiled by the DHS and FBI over the past two years on malicious activity associated with Hidden Cobra. Hoplight primarily consists of proxy applications used by Hidden Cobra to disguise its efforts to ‘phone home,’ which is the traffic sent by the malware back to its command and control (C&C) server,” explained Satnam Narang, senior research engineer at Tenable.
“The continued analysis and reporting by these agencies helps provide organizations key indicators of compromise to identify infected systems as well as guidance to thwart attempts by Hidden Cobra to infiltrate more organizations.”