North Korea, Lazarus state sponsored hackers are back with a new malware: the HOPLIGHT trojan

North Korean malicious hackers are back: US Department of Homeland Security (DHS) and FBI issued a joint Malware Analysis Report (MAR) on a new Trojan dubbed HOPLIGHT. According to the document published by the US-CERT, the malicious code has been detected while tracking the activity of the Pyongyang-backed hacking group HIDDEN COBRA (aka Lazarus, Guardians of Peace, ZINC, and NICKEL ACADEMY). The MAR provides analysis of nine malicious executable files. Seven are proxy applications that mask traffic between the malware and the remote operators. They have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files.

The cyber security expert: It collects system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions

The US cyber security experts discovered that HOPLIGHT, when executed, collects system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions. Furthermore, the malicious code can Read, Write, and Move Files; Enumerate System Drives; Create and Terminate Processes; Inject into Running Processes; Create, Start and Stop Services; Modify Registry Settings; Connect to a Remote Host, and Upload and Download Files. Moreover, it is capable of opening and binding to a socket, and it uses a public SSL certificate for secure communication. So, probably, it’s task are related to cyber espionage and theft.