A consortium of U.S. federal agencies released
a notification on Hoplight, a new data collector malware being used by the
North Korean cyberespionage group Hidden Cobra (aka Lazuras).
The Department of Homeland Security, FBI, and Department of Defense in its malware analysis report on Hoplight noted it obfuscation plays a large role in the malware’s behavior containing 20 malicious executable files, 16 of which are designed to mask activity between the malware and the operator.
“When executed the malware will
collect system information about the victim machine including OS Version,
Volume Information, and System Time, as well as enumerate the system drives and
partitions,” the report states.
The malware is extremely sophisticated
and uses proxies to generate fake TLS handshake sessions using valid public SSL
certificates, so the network connection is effectively disguised.
Two versions of Hoplight exist “So if
the opcode for Keepalive in version 1 is 0xB6C1, the opcode in version 2 will
be 0xB6C2,” the report stated.
Hidden Cobra is one of the most
prolific state sponsored hacking groups attacking a wide variety of targets.
While the group primarily focuses on South Korean, U.S and Japanese targets, the
nation’s North Korea considers its primary foes, with an occasional smattering
of others like Russia.