U.S. Attributes New Trojan to North Korean Hackers

Notorious North Korean hackers are using a new Trojan in their attacks, the United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) warned on Wednesday. Referred to as Lazarus, BlueNoroff, and Hidden Cobra and said to be backed by the North Korean government, the group is believed to have orchestrated a number of high-profile attacks, including the Bangladesh central bank heist and assaults on numerous financial organizations. Over the past couple of years, the U.S. linked multiple tools to Hidden Cobra activity, including Typeframe, Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, Delta Charlie, and Joanap and Brambul. In a Malware Analysis Report (MAR) this week, the DHS and FBI detail HOPLIGHT, a new Trojan used by Hidden Cobra. The powerful backdoor can collect information from the infected systems and can perform various actions as instructed by the command and control (C&C) server. The malware consists of nine files, but seven of them are proxy applications designed to mask traffic between the malware and the remote operators. The proxies can generate fake TLS handshake sessions using valid public SSL certificates to hide network connections with the malicious servers.