Hoplight Malware

DHS and FBI discovered a new sophisticated malware called “Hoplight” which is operated by the North Korean Government as Hidden Cobra spotted on U.S government network.

This sophisticated malware variant used by the North Korean government to perform various cyber attack that targets various organization and Governments.

Researchers discovered nine malicious executable files that is used by attackers to steal the sensitive data from the targeted network.

Out of nine, seven of these files are proxy applications that deployed by threat actors to mask traffic between the malware and the remote operators.

These proxies have an ability to fake TLS handshake sessions using valid public SSL certificates to establish a secure connection with the remote attackers to perform further operation.

According to US CERT, One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates.

Hoplight Malware Infection Process

Initially Trojan attempted to connect with its command and control server which is operating by the North Korean threat actors that drop 4 new files that contain IP addresses and SSL certificates.

New file artifacts referred as a weaponized PE32 executable, Once it executed on targeted system the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions.

During the beginning stage of the infection process, Hoplight malware performing following operations,

  • Read, Write, and Move Files
  • Enumerate System Drives
  • Create and Terminate Processes
  • Inject into Running Processes
  • Create, Start and Stop Services
  • Modify Registry Settings
  • Connect to a Remote Host
  • Upload and Download Files

This malware mainly abusing the public SSL certificate for secure communication to evade the security software detection.

” This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a variety of web services to clients around the world. “

During the execution process of this malware, it will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the malware.

” The malware will then attempt outbound SSL connections to 81.94.192.147 and 112.175.92.57. Both connection attempts are over TCP Port 443.
The two IP addresses above, as well as the IP addresses 181.39.135.126 and 197.211.212.59 are hard-coded into the malwar, ” FBI said.

You can also read the complete artifacts and various attempts to the target details here

Indicator of Compromise

Users or administrators should flag activity associated with the malware and the following IOC.

05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 (23E27E5482E3F55BF828DAB8855690…)

12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d (868036E102DF4CE414B0E6700825B3…)

2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 (5C3898AC7670DA30CF0B22075F3E8E…)

4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 (42682D4A78FE5C2EDA988185A34463…)

4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 (C5DC53A540ABE95E02008A04A0D56D…)

70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 (61E3571B8D9B2E9CCFADC3DDE10FB6…)

83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a (3021B9EF74c&BDDF59656A035F94FD…)

d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 (F8D26F2B8DD2AC4889597E1F2FD1F2…)

ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d (BE588CD29B9DC6F8CFC4D0AA5E5C79…)

Additional Files (4)

49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 (rdpproto.dll)

70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 (udbcgiut.dat)

96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 (MSDFMAPI.INI)

cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f (UDPTrcSvc.dll)

IPs (15)

112.175.92.57
113.114.117.122
128.200.115.228
137.139.135.151
181.39.135.126
186.169.2.237
197.211.212.59
21.252.107.198
26.165.218.44
47.206.4.145
70.224.36.194
81.94.192.10
81.94.192.147
84.49.242.125
97.90.44.200

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.