New HOPLIGHT Malware Appears in Latest North Korean Attacks, Say DHS, FBI

  /     /     /  
Publicated : 23/11/2024   Category : security


New HOPLIGHT Malware Appears in Latest North Korean Attacks, Say DHS, FBI


The FBI and Department of Homeland Security release malware analysis report, indicators of compromise for nine different executable files.



The North Korean government has rolled out a new malware variant, dubbed HOPLIGHT, targeting US companies and government agencies, the US Department of Homeland Security and the Federal Bureau of Investigation warned April 10. 
The US advisory and
malware analysis report, or MAR
, offered details on nine different executable files that use valid certificates and encrypted connections to download files to a compromised system and send information back to attacker-controlled servers.
Taken together, the malicious programs can read, write and move files, gather information on the targeted system, manipulate processes and services, and connect back to a remote host.
Seven of these files are proxy applications that mask traffic between the malware and the remote operators, according to the MAR. The proxies have the ability to generate fake TLS (transport layer security) handshake sessions using valid public SSL (secure sockets layer) certificates, disguising network connections with remote malicious actors.
The report also listed 15 Internet addresses associated with the malwares infrastructure.
DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity, the agencies stated in 
an advisory
.
 
A history of attacking with vindictiveness
The malware is part of North Koreas cyber toolset which the US refers to under the codename HIDDEN COBRA.
Over the past decade, North Korea—officially known as the Democratic Peoples Republic of Korea (DPRK)—has joined Iran, Russia, and China as a frequent cyber actor, with a particular focus on currency generation and attacks that support the DPRKs political aims. 
In 2014, attackers—identified as the North Korean group Lazarus—stole e-mail files, business-sensitive files, and e-mail accounts from Sony Pictures, purportedly in
retribution for the movie studios film,
The Interview
. In the years since the attack, the North Korean group, also referred to as APT38 by security firms, has focused on stealing money from financial institutions—
targeting as much as $1.1 billion
–by attacking the SWIFT banking system, using ransomware,
such as WannaCry
, to extort money from firms, and compromising systems with crypto-mining software to generate cryptocurrency.
Recent diplomatic talks between the United States and North Korea have not slowed the pace of DPRKs hackers, according to Adam Meyers, vice president of intelligence at CrowdStrike, a cybersecurity services firm.
Interestingly, despite participating in diplomatic outreach, DPRK has remained active in both intelligence collection and currency-generation schemes, he said.
The latest analysis by the US government describes methods of detecting the HOPLIGHT toolset—an incremental improvement of North Korean cyber operations—using indicators of compromise (IOCs) and information about the infrastructure and code. 
The fact that they are putting these out there is really cool, says Adam Kujawa, director of Malwarebytes Labs at Malwarebytes. Im glad that they are sharing this data, because with IOCs, people can identify what the threats are.
Among the details: One file contains a public secure sockets layer (SSL) certificate with a payload that appears to be encoded with a password or key, the MAR stated. Another file does not contain any certificates, but drops four files onto the target systems and repeatedly attempt to connect the servers at the listed IP addresses.
Kujawa notes that the analysis does not mention where the executables came from, whether found on a third-party server or on a compromised system. And with compilation dates stretching back to May 2017, some of the files are nearly two years old.
However, companies should take the threat seriously, says Chris Duvall, senior director of The Chertoff Group, a cybersecurity consultancy. North Korea has shown little hesitation in attacking companies or nation-state targets.
There is a history of attacking with vindictiveness, he says. Financial institutions and critical infrastructure and healthcare, in particular, should be on their toes and watch out for this.
 
Related Content
The Opsec Fail That Helped Unmask a North Korean State Hacker
Inside the North Korean Hacking Operation Behind SWIFT Bank Attacks
19 Minutes to Escalation: Russian Hackers Move the Fastest
Data on 997 North Korean Defectors Targeted in Hack
US to Charge North Korea for Sony Breach, WannaCry
 
 
 
 
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New HOPLIGHT Malware Appears in Latest North Korean Attacks, Say DHS, FBI