Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/11/2019
07:45 PM
50%
50%

New 'HOPLIGHT' Malware Appears in Latest North Korean Attacks, Say DHS, FBI

The FBI and Department of Homeland Security release malware analysis report, indicators of compromise for nine different executable files.

The North Korean government has rolled out a new malware variant, dubbed HOPLIGHT, targeting US companies and government agencies, the US Department of Homeland Security and the Federal Bureau of Investigation warned April 10. 

The US advisory and malware analysis report, or MAR, offered details on nine different executable files that use valid certificates and encrypted connections to download files to a compromised system and send information back to attacker-controlled servers.

Taken together, the malicious programs can read, write and move files, gather information on the targeted system, manipulate processes and services, and connect back to a remote host.

"Seven of these files are proxy applications that mask traffic between the malware and the remote operators," according to the MAR. "The proxies have the ability to generate fake TLS (transport layer security) handshake sessions using valid public SSL (secure sockets layer) certificates, disguising network connections with remote malicious actors."

The report also listed 15 Internet addresses associated with the malware's infrastructure.

"DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity," the agencies stated in an advisory.

 

'A history of attacking with vindictiveness'

The malware is part of North Korea's cyber toolset which the US refers to under the codename HIDDEN COBRA.

Over the past decade, North Korea—officially known as the Democratic People's Republic of Korea (DPRK)—has joined Iran, Russia, and China as a frequent cyber actor, with a particular focus on currency generation and attacks that support the DPRK's political aims. 

In 2014, attackers—identified as the North Korean group Lazarus—stole e-mail files, business-sensitive files, and e-mail accounts from Sony Pictures, purportedly in retribution for the movie studio's film, The Interview. In the years since the attack, the North Korean group, also referred to as APT38 by security firms, has focused on stealing money from financial institutions—targeting as much as $1.1 billion–by attacking the SWIFT banking system, using ransomware, such as WannaCry, to extort money from firms, and compromising systems with crypto-mining software to generate cryptocurrency.

Recent diplomatic talks between the United States and North Korea have not slowed the pace of DPRK's hackers, according to Adam Meyers, vice president of intelligence at CrowdStrike, a cybersecurity services firm.

"Interestingly, despite participating in diplomatic outreach, DPRK has remained active in both intelligence collection and currency-generation schemes," he said.

The latest analysis by the US government describes methods of detecting the HOPLIGHT toolset—an incremental improvement of North Korean cyber operations—using indicators of compromise (IOCs) and information about the infrastructure and code. 

"The fact that they are putting these out there is really cool," says Adam Kujawa, director of Malwarebytes Labs at Malwarebytes. "I'm glad that they are sharing this data, because with IOCs, people can identify what the threats are."

Among the details: One file contains a public secure sockets layer (SSL) certificate with a payload that appears to be encoded with a password or key, the MAR stated. Another file does not contain any certificates, but drops four files onto the target systems and repeatedly attempt to connect the servers at the listed IP addresses.

Kujawa notes that the analysis does not mention where the executables came from, whether found on a third-party server or on a compromised system. And with compilation dates stretching back to May 2017, some of the files are nearly two years old.

However, companies should take the threat seriously, says Chris Duvall, senior director of The Chertoff Group, a cybersecurity consultancy. North Korea has shown little hesitation in attacking companies or nation-state targets.

"There is a history of attacking with vindictiveness," he says. "Financial institutions and critical infrastructure and healthcare, in particular, should be on their toes and watch out for this."

 

Related Content

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5007
PUBLISHED: 2020-01-17
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename pa...
CVE-2020-5397
PUBLISHED: 2020-01-17
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not incl...
CVE-2019-17635
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted inde...
CVE-2019-19339
PUBLISHED: 2020-01-17
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries...
CVE-2007-6070
PUBLISHED: 2020-01-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...