US CERT Warns of N. Korean 'Hoplight' TrojanHidden Cobra, Also Known as Lazarus, Appears to Be Behind the Malware
The U.S. Computer Emergency Readiness Team has issued a fresh warning about a newly discovered Trojan called Hoplight that is connected to a notorious advanced persistent threat group with links to North Korea.
The malware can disguise the network traffic it sends back to its originators, making it more difficult for security companies and law enforcement officials to track its movements, CERT reports. While Hoplight has been spotted in the wild, CERT did not name any victims or mention whether it has targeted a specific industry.
The group behind this malware is Hidden Cobra, which is the U.S. government's name for the Lazarus Group, a North Korean-backed APT group that has been linked to numerous cyberattacks, including the WannaCry ransomware attacks of 2017 as well as the Sony Pictures breach of 2014.
Hidden Cobra and several other North Korean-backed groups are also believed to be responsible for a significant number of financial crimes that target banks and cryptocurrency exchanges throughout the world, according to a recent United Nations report.
Since May 2017, CERT has issued 16 warnings about malware and other cyberattacks associated with North Korea-linked groups, such as Hidden Cobra. This includes WannaCry and, more recently, FASTCash - a scheme that uses a Trojan to wipe out ATMs.
Spotlight on Hoplight
Security analysts from the Department of Homeland Security and the FBI conducted an analysis of the Hoplight Trojan, which had been spotted in the wild, before CERT issued its alert on Wednesday.
The analysis found that the malware comprises several proxy applications that are part of a "phone home" operation run by Hidden Cobra. This means that the Hoplight Trojan can disguise the traffic that is sent back to its command-and-control server to help disguise its purpose, according to CERT.
Investigators found that Hoplight has nine malicious executable files, seven of which are the proxy applications that help mask the traffic between the Trojan and the operators, according to the report. Some of these proxies generate phony TLS handshakes using valid public SSL certificates, which help disguise network connections to the group running the malware.
In this case, the SSL certificate is actually from Naver, the largest search engine in Korea, which also provides a number of web services, the report finds.
Because Hoplight has the ability to disguise the traffic running between it and the C&C server, the Trojan is extremely powerful, CERT says. Once a system is infected with it, the malware collects important information about the victim's machine, including the type of operating system it's running, volume information and system time. It can also enumerate system drives and partitions.
The Trojan also has the ability to read, write and move files; create and terminate processes; inject into running processes; create, start and stop services; modify registry settings; connect to the host; and upload and download files, the report finds.
Any Attacks Yet?
The CERT report does not indicate if any businesses or organizations have sustained an attack from Hidden Cobra using the Hoplight Trojan. But because it has been spotted in the wild and investigators were able to reverse-engineer some of the malware, there's a good chance that it has been used in some way.
While enterprises should pay attention to alerts from CERT, the attackers are also monitoring these announcements, which means they are likely to eventually change tactics, says Chris Morales, head of security analytics at Vectra, a San Jose, California-based threat detection and response firm.
"What I always find interesting in these notices is that they provide a set of static rules and destinations for organizations to look for as indicators of an attack," Morales says. "Attackers monitor the same information as security analysts and are well aware of what the defender knows. If I was the attacker, I would test the included detection rule and modify my payload until the rule no longer works."
Morales believes studying the underlying behaviors of this type of malware can better prepare security teams to craft defenses they need to protect against an attack.
In addition to Wednesday's alert, CERT issued some precautions that businesses, government agencies and other organizations can follow to avoid being attacked by this type of Trojan.
- Maintain up-to-date anti-virus signatures and engines and keep operating system patches current;
- Disable file and printer sharing services when possible; use strong passwords or Active Directory for authentication;
- Restrict users from installing and running unauthorized software;
- Disable unnecessary services and software as well as workstations and servers;
- Scan and remove suspicious email attachments, and ensure that attachments are "true file types" - the extension matches the file header.