US government publishes details on North Korea's HOPLIGHT malware

DHS and FBI publish their sixteenth report on North Korean malware.

northkoreahoplight

The US government has put out a security alert today about a new malware strain used by North Korean hackers, which the US government has named HOPLIGHT.

The report, authored by malware analysts from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), attributes the HOPLIGHT malware to HIDDEN COBRA, the US government's designation for North Korea's main government-backed hacking group, also referred to in news articles and cyber-security reports as the Lazarus Group.

Security alert warns of dangerous backdoor trojan

According to the joint DHS-FBI alert, HOPLIGHT appears to be a very powerful backdoor trojan.

On infected systems, the malware collects information about the target's device and sends the data to a remote server. It can also receive commands from its command and control (C&C) server and execute various operations on infected hosts.

According to DHS-FBI report, HOPLIGHT can:

  • Read, write, and move files
  • Enumerate system drives
  • Create and terminate processes
  • Inject code into running processes
  • Create, start, and stop services
  • Modify registry settings
  • Connect to a remote host
  • Upload and download files

The malware also uses a built-in proxy application to mask its communications with the remote command-and-control (C&C) server.

"The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors," said DHS and FBI analysts.

HOPLIGHT appears to be new malware

The report includes digital signatures for nine files associated with the malware. None of the files were previously available on VirusTotal.

"The variants of HOPLIGHT malware attributed to North Korean malicious cyber activity are new, it has not been publically released before today," an official for the DHS' Cybersecurity and Infrastructure Security Agency (CISA) told ZDNet.

"HOPLIGHT has been detected in use globally in a wide array of HIDDEN COBRA malicious activity, not specific to a particular critical infrastructure sector," the official added.

Today's HOPLIGHT report is the DHS and FBI's sixteenth report on North Korean malware. The agencies previously released reports on WannaCry, DeltaCharlie (two reports), Volgmer, FALLCHILL, BANKSHOT, BADCALL, HARDRAIN, SHARPKNOT, an unnamed remtoe access trojan/worm, Joanap and Brambul, TYPEFRAME, KEYMARBLE, and FASTCash (two reports).

And all these reports appear to have paid off, in the long run.

"Generally, when CISA releases alerts on state-sponsored activity we receive some reports from infected victims," the CISA official told ZDNet. "CISA recommends victims who observe malicious activity report it to the NCCIC or the FBI Cyber Watch."

All the DHS' previous reports are available on this page, including the one on HOPLIGHT, which also comes with indicators of compromise that organizations can use to scan their networks for traces of HOPLIGHT.

In January 2019, the DOJ, FBI, and US Air Force moved in to take down North Korea's Joanap botnet.

Article updated with comments from CISA official.

Related malware and cybercrime coverage: