The U.S. Cyber Command (USCYBERCOM) this week released 11 malware samples to VirusTotal, all of which appear related to the notorious North Korean-linked threat group Lazarus.
The malware is being shared with the infosec community as part of a project run by USCYBERCOM’s Cyber National Mission Force (CNMF), which kicked off in November 2018 with the sharing of two files linked to a Russian-state actor.
The effort is aimed at sharing unclassified malware samples that CNMF believes have great impact on improving global cybersecurity and has already included the release of files linked to Iranian actors.
All of the 11 samples USCYBERCOM has now shared on the popular malware scanning engine target Windows systems, and the majority of them target 32-bit systems.
The samples are not new – 10 of them feature creation dates of 2017, while the 11th was created in February 2018 – and most have high detection rates on VirusTotal.
They seem linked to the “Hidden Cobra” cluster of activity, which is better known in the infosec community as the Lazarus Group.
Only one file, named netbtugc.exe, is detected by fewer than 20 anti-malware engines in VirusTotal. It too, however, contains resources in Korean and contacts an IP address already linked to other Lazarus malware samples.
Data from the THOR APT Scanner suggests the remaining samples are variants of the HOPLIGHT Trojan that the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) attributed to Hidden Cobra in April this year.
The malware is focused on collecting information from the infected systems, but can also perform various operations on the system, based on instructions received from its command and control (C&C) server.
Most of the files also seem related to Operation GhostSecret, an information-stealing campaign that McAfee attributed to Lazarus in April 2018.
Related: U.S. Attributes New Trojan to North Korean Hackers
Related: U.S. Cyber Command Warns of Outlook Flaw Exploited by Iranian Hackers