DHS and FBI Release Advisory on New Lazarus Trojan Attacks

The U.S Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint advisory warning that Lazarus APT has launched attacks using a new Trojan called HOPLIGHT.

Lazarus, North Korea-backed hacking group, utilises spear phishing attacks to install malware on targets of high value. The group appears to be primarily motivated by financial gain, rather than intellectual property theft or espionage. The group is known by other aliases such as Hidden Cobra, Zinc, and Nickel Academy.

Lazarus is the group that is generally considered responsible for the WannaCry attacks and several other high-profile cybersecurity incidents.

Trojan horses are malware disguised as harmless software. Hackers usually install them under false pretences, tricking the user into believing that they serve a legitimate purpose. Once executed on a server, the hacker can then gain access to the system and steal valuable information for nefarious purposes. The Trojans are often installed through a phishing campaign, such as Lazarus’ spear phishing attacks.

The Trojan was discovered while tracking the activity of the hacking group. According to FBI/DHS advisory, the Trojan can read, write and move files, enumerate system drives, create and terminate processes, inject code into running processes, modify registry settings, create, start and stop services, connect to a remote host, and upload and download files. The malware uses a public SSL certificate from naver.com for secure communication.

US-CERT website states nine executable files were discovered to be infected with the HOPLIGHT Trojan, seven of which were proxy applications that mask traffic between the malware and the remote operators. The proxies can generate fake TLS handshake sessions using public SSL certificates and disguise network connections with remote malicious actors.

Lazarus is HOPLIGHT in attacks all over the world. Lazarus does not appear to be targeting a particular critical infrastructure sector. The advisories were issued to allow action to be taken to reduce exposure to the threat.