FBI/DHS MAR report details HOPLIGHT Trojan used by Hidden Cobra APT

According to a joint report published by the United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), North Korea-linked Lazarus APT group is using a new Trojan in attacks.

According to a joint report issued by the United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), North Korea-linked Lazarus APT group is using a new Trojan in attacks in the wild.

The activity of the Lazarus Group (aka BlueNoroffand Hidden Cobra ) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

In 2018, the Lazarus APT group targeted several cryptocurrency exchanges, including the campaign tracked as Operation AppleJeus discovered in August 2018. At the time, North Korea-linked Lazarus APT group leveraged for the first time on a MacOS variant of the Fallchill malware.

According to Kaspersky Lab, since at least November 2018 the APT group has been leveraging PowerShell to target both Windows and macOS machines in a new wave of attacks.

Now the DHS and the FBI published a Malware Analysis Report (MAR) that includes technical details on a new Trojan used by Hidden Cobra that was tracked as HOPLIGHT. This MAR includes details on the malicious code and aims at suggesting response actions and recommended mitigation techniques.

The backdoor gathers information from the infected systems and supports several commands from command and control (C&C) server.

“This report provides analysis of nine malicious executable files. Seven of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors.” reads the report. “One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP addresses and SSL certificates.”

The experts analyzed the nine files composed the malware, seven of which are proxy applications used to mask traffic with C2 infrastructure. The proxies can generate fake TLS handshake sessions using valid public SSL certificates to disguise connections with the operators.

The HOPLIGHT Trojan implements the following functions:

• Read, Write, and Move Files
• Enumerate System Drives
• Create and Terminate Processes
• Inject into Running Processes
• Create, Start and Stop Services
• Modify Registry Settings
• Connect to a Remote Host
• Upload and Download Files

Further details, including Indicators of Compromise (IoCs), are available in the MAR report.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – HOPLIGHT, Hidden Cobra)

[adrotate banner=”5″]

[adrotate banner=”13″]