The U.S Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have both issued advisories about a new Trojan called Hoplight which is being used by the Lazarus APT group.
Lazarus is a North Korea-backed hacking group, also known as Hidden Cobra, Zinc, and Nickel Academy. The hacking group primarily uses spear phishing to install malware on high value targets. The group is primarily concerned with financial crime rather than the theft of intellectual property and espionage.
The Trojan was discovered while tracking the activity of the hacking group. According to the advisories, the Trojan can read, write and move files, enumerate system drives, create and terminate processes, inject code into running processes, modify registry settings, create, start and stop services, connect to a remote host, and upload and download files. The malware uses a public SSL certificate from naver.com for secure communication.
According to the advisory on the US-CERT website, nine executable files were discovered to be infected with the HOPLIGHT Trojan, seven of which were proxy applications that mask traffic between the malware and the remote operators. The proxies are able to generate fake TLS handshake sessions using public SSL certificates and disguise network connections with remote malicious actors.
Hoplight is being used in attacks around the globe and is not confined to a particular critical infrastructure sector. The advisories were issued to allow action to be taken to reduce exposure to the threat. A detailed analysis of the malware and IoCs are available here.