US warns of aggressive North Korean malware

The US government has issued a warning about a new malware strain believed to have been used by North Korean hackers.

Dubbed HOPLIGHT, the trojan malware variant has been identified by the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) through “analytic efforts” between the agencies.

It is said to be targeting US companies and government agencies.

“Working with US Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government,” said the US Cybersecurity and Infrastructure Security Agency (CISA) in a statement.

“This malware variant has been identified as HOPLIGHT.”

The Malware Initial Findings Report (MIFR) details digital signatures for nine files associated with the malware, seven of which “are proxy applications that mask traffic between the malware and the remote operators”.

“DHS and FBI are distributing this MAR to enable network defence and reduce exposure to North Korean government malicious cyber activity,” the statement said.

According to CISA, the malware is able to generate fake TSL handshake sessions using valid public SSL certificates, which disguise network connections with remote malicious actors.

HOPLIGHT can read, write and move files, create and terminate processes, upload and download files and connect to a remote host, says the report.

A built-in proxy application can also mask communications with the remote command-and-control server.

The Lazarus Group

Referred to by the US government as HIDDEN COBRA, and also known as the Lazarus Group, the North Korean-aligned threat group behind the malware is believed to have been active since 2009.

It is the same group that was said to be responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment, which occurred in the lead-up to the release of comedy film The Interview (the film is about a plot to assassinate North Korean leader Kim Jong-un).

The malware attack copied critical files and rendered many computers within Sony inoperable.

A 2017 report into the WannaCry attack – which affected approximately 300,000 computers globally – concluded it was “highly likely” that Lazarus was behind the incident.

In September of last year, the US Department of Justice issued formal charges to Park Jin-hyok for his role in both the Sony and WannaCry attacks during his time working in the country’s Reconnaissance General Bureau.

Park remains on the FBI’s most wanted list.