Officials at the US Department of Homeland Security (DHS) have issued another warning about North Korean malware, this time a new variant dubbed “Hoplight.”
The backdoor trojan malware is linked to the notorious Hidden Cobra group, also known as the Lazarus Group.
“This artifact is a malicious PE32 executable. When executed the malware will collect system information about the victim machine including OS version, volume information, and system time, as well as enumerate the system drives and partitions,” the alert warned.
“The malware is capable of the following functions: Read, Write, and Move Files; Enumerate System Drives; Create and Terminate Processes; Inject into Running Processes; Create, Start and Stop Services; Modify Registry Settings; Connect to a Remote Host; Upload and Download Files.”
The malware uses a public SSL certificate for secure communications from South Korean web giant Naver, and employs proxies to obfuscate its activity.
“The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors,” the report claimed.
This is the latest in a long line of alerts warning of new North Korean malware, now in the double-digits.
This is the 16th report compiled by the DHS and FBI over the past two years on malicious activity associated with Hidden Cobra. Hoplight primarily consists of proxy applications used by Hidden Cobra to disguise its efforts to ‘phone home,’ which is the traffic sent by the malware back to its command and control (C&C) server.
source: Info Security