A never-before-seen spyware variant called HOPLIGHT is targeting U.S. companies and government agencies in active attacks, according to the U.S. Department of Homeland Security.
In an advisory this week, the United States Computer Emergency Readiness Team (US-CERT) said that there are nine different executable files being used to spread the malware, which is the work of the North Korean government’s Hidden Cobra APT (a.k.a. the Lazarus Group), it said. These files are signed with valid certificates to get around basic antivirus measures, and use encrypted connections to communicate with their command-and-control (C2) servers.
The certificates are from Naver.com, which is the largest search engine in Korea and provides a variety of web services to clients around the world.
“Seven of these files are proxy applications that mask traffic between the malware and the remote operators,” according to the advisory. “The proxies have the ability to generate fake TLS (transport layer security) handshake sessions using valid public SSL (secure sockets layer) certificates, disguising network connections with remote malicious actors.”
In addition, one file also contains a public SSL certificate, and the payload of the file appears to be encoded with a password or key; and the remaining file does not contain any of the public SSL certificates, but attempts to make outbound connections and drops four additional files on a targeted system, which contain IP addresses as well as SSL certificates.
HOPLIGHT is a custom affair, and a fully fledged spyware; it gathers system information and can exfiltrate files and data. It can also inject code into various processes, and can download additional malware, so it could be used to disrupt regular operations and disable systems and files. It’s not a small operation, either: 15 different IP addresses have been seen to be associated with the HOPLIGHT infrastructure, according to the warning.
The alert doesn’t mention how the executable files are being disseminated. Threatpost has reached out to researchers for additional analysis or the IOCs and will update this post accordingly.
Hidden Cobra/Lazarus has been a thorn in the side of U.S. companies for some time, and continuously updates its malware strategy. For instance, last year the state-sponsored actors were seen using two custom families of malware against U.S. assets: A remote access tool (RAT) dubbed Joanap; and a Server Message Block (SMB) worm known as Brambul – both older code that had been updated to more effectively target sensitive and proprietary information.
Also last year, Thailand’s Computer Emergency Response Team (ThaiCERT) seized a server operated by the APT, which is part of the network used to control the global GhostSecret espionage campaign. McAfee warned at the time that the GhostSecret campaign was carrying out data reconnaissance on a wide number of industries, including critical infrastructure, entertainment, finance, healthcare and telecommunications, in at least 17 countries.
The group also was linked to the infamous 2014 Sony Pictures hack, for instance, as well as the SWIFT banking attacks.
To avoid compromise, users and administrators should follow best practices, especially maintaining up-to-date patching and antivirus; enabling workstation firewalls; implementing email- and download-scanning to quarantine or block suspicious attachments and files; and restricting user permissions for software installations.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.
