Friday, January 10, 2025
HomeComputer SecurityDHS and FBI Uncovered North Korean Government Owned Hoplight Malware in Government...

DHS and FBI Uncovered North Korean Government Owned Hoplight Malware in Government Network

Published on

DHS and FBI discovered a new sophisticated malware called “Hoplight” which is operated by the North Korean Government as Hidden Cobra spotted on U.S government network.

This sophisticated malware variant used by the North Korean government to perform various cyber attack that targets various organization and Governments.

Researchers discovered nine malicious executable files that is used by attackers to steal the sensitive data from the targeted network.

Out of nine, seven of these files are proxy applications that deployed by threat actors to mask traffic between the malware and the remote operators.

These proxies have an ability to fake TLS handshake sessions using valid public SSL certificates to establish a secure connection with the remote attackers to perform further operation.

According to US CERT, One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates.

Hoplight Malware Infection Process

Initially Trojan attempted to connect with its command and control server which is operating by the North Korean threat actors that drop 4 new files that contain IP addresses and SSL certificates.

New file artifacts referred as a weaponized PE32 executable, Once it executed on targeted system the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions.

During the beginning stage of the infection process, Hoplight malware performing following operations,

  • Read, Write, and Move Files
  • Enumerate System Drives
  • Create and Terminate Processes
  • Inject into Running Processes
  • Create, Start and Stop Services
  • Modify Registry Settings
  • Connect to a Remote Host
  • Upload and Download Files

This malware mainly abusing the public SSL certificate for secure communication to evade the security software detection.

” This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a variety of web services to clients around the world. “

During the execution process of this malware, it will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the malware.

” The malware will then attempt outbound SSL connections to 81.94.192.147 and 112.175.92.57. Both connection attempts are over TCP Port 443.
The two IP addresses above, as well as the IP addresses 181.39.135.126 and 197.211.212.59 are hard-coded into the malwar, ” FBI said.

You can also read the complete artifacts and various attempts to the target details here

Indicator of Compromise

Users or administrators should flag activity associated with the malware and the following IOC.

05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 (23E27E5482E3F55BF828DAB8855690…)

12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d (868036E102DF4CE414B0E6700825B3…)

2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 (5C3898AC7670DA30CF0B22075F3E8E…)

4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 (42682D4A78FE5C2EDA988185A34463…)

4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 (C5DC53A540ABE95E02008A04A0D56D…)

70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 (61E3571B8D9B2E9CCFADC3DDE10FB6…)

83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a (3021B9EF74c&BDDF59656A035F94FD…)

d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 (F8D26F2B8DD2AC4889597E1F2FD1F2…)

ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d (BE588CD29B9DC6F8CFC4D0AA5E5C79…)

Additional Files (4)

49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 (rdpproto.dll)

70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 (udbcgiut.dat)

96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 (MSDFMAPI.INI)

cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f (UDPTrcSvc.dll)

IPs (15)

112.175.92.57
113.114.117.122
128.200.115.228
137.139.135.151
181.39.135.126
186.169.2.237
197.211.212.59
21.252.107.198
26.165.218.44
47.206.4.145
70.224.36.194
81.94.192.10
81.94.192.147
84.49.242.125
97.90.44.200

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Criminal IP Launches Real-Time Phishing Detection Tool on Microsoft Marketplace

Criminal IP, a globally recognized Cyber Threat Intelligence (CTI) solution by AI SPERA, has...

New PayPal Phishing Abusing Microsoft365 Domains for Sophisticated Attacks

A new and sophisticated phishing scam has been uncovered, leveraging Microsoft 365 domains to...

APT32 Hacker Group Attacking Cybersecurity Professionals Poisoning GitHub

The malicious Southeast Asian APT group known as OceanLotus (APT32) has been implicated in...

Malicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Malicious packages "solanacore," "solana login," and "walletcore-gen" on npmjs target Solana developers with Windows...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Malicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Malicious packages "solanacore," "solana login," and "walletcore-gen" on npmjs target Solana developers with Windows...

Is this Website Safe: How to Check Website Safety – 2025

is this website safe? In this digital world, Check a website is safe is...

Researchers Reveal Exploitation Techniques of North Korean Kimsuky APT Group

Since 2013, the advanced persistent threat (APT) known as Kimsuky, which the North Korean...