Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea

The new malware is thought to be the work of North Korean state-linked hacking group HIDDEN COBRA, aka Lazarus Group

The US Department of Homeland Security (DHS) and the FBI have issued a warning over renewed North Korean state hacking activity.

They claim to have identified new malware, named HOPLIGHT, which they suspect is the work of HIDDEN COBRA, the US government's namefor North Korean state-linked hacking group. The group is also referred to as the ' Lazarus ' by many cyber-security experts.

The warning comes in a new Malware Analysis Report (MAR) released yesterday.

"DHS and FBI are distributing this report to enable network defence and reduce exposure to North Korean government malicious cyber activity," US-CERT warned in a post.

The malware was detected worldwide in a large number of malicious activities being carried out by HIDDEN COBRA

According to the report, HOPLIGHT is a powerful backdoor Trojan and consists of nine malicious executable files.

Seven of the files act as proxy layers to mask the communication between the spyware and the remote attackers, confusing admins and preventing security software from detecting the hacking attempt.

The spyware can read and write files, securely connect to a remote control server and upload confidential files on it from the infected system, the report claims. The malicious programme is also capable of creating, terminating or changing the registry settings as well as running processes.

In order to communicate securely with its operators, the spyware generates fake TLS handshake session using public SSL certificates that are placed in one of the nine files. Researchers believe the payload of the file is likely encoded with a key or password.

The report has provided digital signatures for all the nine files associated with HOPLIGHT. The presence of the malware was detected worldwide in a large number of malicious activities being carried out by HIDDEN COBRA.

Those activities were not found to be specific to any particular critical infrastructure sector.

Unlike other state-sponsored hacking operations that focus on espionage or intellectual property theft, HIDDEN COBRA/Lazarus has focused largely on financial crime to help the isolated state get cash into its coffers.

The group is also linked with the high-profile attack on Sony Pictures Entertainment in 2014 after the studio went ahead with the release of 'The Interview', a film premised on the assassination of North Korean leader Kim Jong-un.

^{A scene from the film 'The Interview'}

US-CERT has advised administrators and security teams to patch systems regularly and to maintain up-to-date malware protection in order to protect their systems and networks from attacks from the North Korean state hackers.

Admins have also been requested to flag any malicious activity and report it immediately to the FBI Cyber Watch (CyWatch) or the Cybersecurity and Infrastructure Security Agency.

The IT Leaders' Summit is back - coming to London on 23 April.

This year, it will focus on 'Driving the Digital Roadmap for the Enterprise'. Speakers include Shivvy Jervis, The Trainline's Mark Holt, NatWest's Tom Castle McCann's Matt Groshong and a special keynote from a high-profile tech leader and visionary. For more details - and to reserve your place - check out the dedicated website. Places are FREE to qualifying CIOs, IT leaders and senior IT pros, but are going fast!