DHS, FBI Alert: North Korean Backdoor Trojan HOPLIGHT Detected in the Wild, Linked to Lazarus

HOPLIGHT, a critical backdoor Trojan linked to North Korean APT group Lazarus, has been found in the wild, warn the FBI and the Department of Homeland Security in a new malware analysis report.

Lazarus Group is also known as HIDDEN COBRA, a hacking organization backed by the North Korean government, responsible for large domestic and global state-sponsored attacks in the financial services, entertainment and aerospace sectors. This gang’s hacking activity spans ten years, as HIDDEN COBRA is believed to have started targeting victims in 2009.

Not only do they aim to exfiltrate critical data and disrupt operations, but also have a history of financial crime. The group was allegedly behind the notorious attack on Sony Pictures Entertainment in 2014, on a number of banks in Ecuador, Vietnam, Poland, Mexico, Bangladesh and Taiwan that led to the theft of 1 billion dollars, cryptocurrency attacks and the infamous WannaCry ransomware attack that crippled tens of thousands of computer systems worldwide.

This is the 16th report on North Korean malware released by the two agencies in collaboration with other government partners. US security analysts have extensively researched and analyzed North Korean Trojan malware to improve network defense and fend off cyberespionage from foreign governments. HOPLIGHT malware targets critical infrastructures and any malicious activity should immediately be reported to the FBI.

Security experts looked into nine malicious executables, including seven that were built-in proxy applications to fake a secure connection for hiding outbound traffic to the command-and-control server where stolen files are uploaded.

“The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors,” reads the alert. “One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP addresses and SSL certificates.”

Once the spyware has infected the systems, it gathers system information through a PE32 executable, “read, write, and move files, enumerate system drives, create and terminate processes, inject code into running processes, create, start, and stop services, modify registry settings, connect to a remote host or upload and download files.”

All organizations should immediately upgrade systems and apply all necessary patches. The US government is concerned such a remote attack could inflict major damage on country’s infrastructure and critical sectors.

The US government believes blockchain could be the solution to fend off remote attacks on the energy supply chain, and has announced its sponsorship for a blockchain project to protect power plants and electric grids from hacking attempts similar to the ones in Ukraine in 2016.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Luana Pascu. Read the original post at:

Secure Guardrails