The US government has put out a security alert today about a new malware strain used by North Korean hackers, which the US government has named HOPLIGHT.
The report, authored by malware analysts from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), attributes the HOPLIGHT malware to HIDDEN COBRA, the US government’s designation for North Korea’s main government-backed hacking group, also referred to in news articles and cyber-security reports as the Lazarus Group.
According to the joint DHS-FBI alert, HOPLIGHT appears to be a very powerful backdoor trojan.
On infected systems, the malware collects information about the target’s device and sends the data to a remote server. It can also receive commands from its command and control (C&C) server and execute various operations on infected hosts.
According to DHS-FBI report, HOPLIGHT can:
- Read, write, and move files
- Enumerate system drives
- Create and terminate processes
- Inject code into running processes
- Create, start, and stop services
- Modify registry settings
- Connect to a remote host
- Upload and download files
The malware also uses a built-in proxy application to mask its communications with the remote command-and-control (C&C) server.
“The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors,” said DHS and FBI analysts.