The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a Malware Analysis Report (MAR) on Wednesday warning industry about cyber attacks from the Lazarus Group, which is widely believed to be backed by the North Korean government. DHS and the FBI have identified the malware variant to be HOPLIGHT.
The report includes an analysis of nine malicious executable files, seven of which are proxy applications designed to mask traffic between the malware and the remote operators.
One of the remaining files contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The final file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files.
The alert continued, “[t]his MAR includes malware descriptions related to HIDDEN COBRA (how U.S. Government refers to malicious cyber activity by the North Korean government), suggested response actions and recommended mitigation techniques.” It further noted that users and administrators should flag all activity related to the malware and report the activity to the Cybersecurity and Infrastructure Security Agency or the FBI Cyber Watch.