APT

FBI/DHS MAR report details HOPLIGHT Trojan used by Hidden Cobra APT

According to a joint report published by the United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), North Korea-linked Lazarus APT group is using a new Trojan in attacks.

According to a joint report issued by the United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), North Korea-linked Lazarus APT group is using a new Trojan in attacks in the wild.

The activity of the Lazarus Group (aka BlueNoroffand Hidden Cobra ) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

In 2018, the Lazarus APT group targeted several cryptocurrency exchanges, including the campaign tracked as Operation AppleJeus discovered in August 2018. At the time, North Korea-linked Lazarus APT group leveraged for the first time on a MacOS variant of the Fallchill malware.

According to Kaspersky Lab, since at least November 2018 the APT group has been leveraging PowerShell to target both Windows and macOS machines in a new wave of attacks.

Now the DHS and the FBI published a Malware Analysis Report (MAR) that includes technical details on a new Trojan used by Hidden Cobra that was tracked as HOPLIGHT. This MAR includes details on the malicious code and aims at suggesting response actions and recommended mitigation techniques.

The backdoor gathers information from the infected systems and supports several commands from command and control (C&C) server.

“This report provides analysis of nine malicious executable files. Seven of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors.” reads the report. “One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP addresses and SSL certificates.”

The experts analyzed the nine files composed the malware, seven of which are proxy applications used to mask traffic with C2 infrastructure. The proxies can generate fake TLS handshake sessions using valid public SSL certificates to disguise connections with the operators.

The HOPLIGHT Trojan implements the following functions:

  • Read, Write, and Move Files
  • Enumerate System Drives
  • Create and Terminate Processes
  • Inject into Running Processes
  • Create, Start and Stop Services
  • Modify Registry Settings
  • Connect to a Remote Host
  • Upload and Download Files

Further details, including Indicators of Compromise (IoCs), are available in the MAR report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – HOPLIGHT, Hidden Cobra)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

2 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

13 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

17 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

23 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.