Categories: Computer SecurityInternetMalware

DHS and FBI Uncovered North Korean Government Owned Hoplight Malware in Government Network

DHS and FBI discovered a new sophisticated malware called “Hoplight” which is operated by the North Korean Government as Hidden Cobra spotted on U.S government network.

This sophisticated malware variant used by the North Korean government to perform various cyber attack that targets various organization and Governments.

Researchers discovered nine malicious executable files that is used by attackers to steal the sensitive data from the targeted network.

Out of nine, seven of these files are proxy applications that deployed by threat actors to mask traffic between the malware and the remote operators.

These proxies have an ability to fake TLS handshake sessions using valid public SSL certificates to establish a secure connection with the remote attackers to perform further operation.

According to US CERT, One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates.

Hoplight Malware Infection Process

Initially Trojan attempted to connect with its command and control server which is operating by the North Korean threat actors that drop 4 new files that contain IP addresses and SSL certificates.

New file artifacts referred as a weaponized PE32 executable, Once it executed on targeted system the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions.

During the beginning stage of the infection process, Hoplight malware performing following operations,

  • Read, Write, and Move Files
  • Enumerate System Drives
  • Create and Terminate Processes
  • Inject into Running Processes
  • Create, Start and Stop Services
  • Modify Registry Settings
  • Connect to a Remote Host
  • Upload and Download Files

This malware mainly abusing the public SSL certificate for secure communication to evade the security software detection.

” This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a variety of web services to clients around the world. “

During the execution process of this malware, it will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the malware.

” The malware will then attempt outbound SSL connections to 81.94.192.147 and 112.175.92.57. Both connection attempts are over TCP Port 443.
The two IP addresses above, as well as the IP addresses 181.39.135.126 and 197.211.212.59 are hard-coded into the malwar, ” FBI said.

You can also read the complete artifacts and various attempts to the target details here

Indicator of Compromise

Users or administrators should flag activity associated with the malware and the following IOC.

05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 (23E27E5482E3F55BF828DAB8855690…)

12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d (868036E102DF4CE414B0E6700825B3…)

2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 (5C3898AC7670DA30CF0B22075F3E8E…)

4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 (42682D4A78FE5C2EDA988185A34463…)

4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 (C5DC53A540ABE95E02008A04A0D56D…)

70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 (61E3571B8D9B2E9CCFADC3DDE10FB6…)

83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a (3021B9EF74c&BDDF59656A035F94FD…)

d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 (F8D26F2B8DD2AC4889597E1F2FD1F2…)

ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d (BE588CD29B9DC6F8CFC4D0AA5E5C79…)

Additional Files (4)

49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 (rdpproto.dll)

70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 (udbcgiut.dat)

96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 (MSDFMAPI.INI)

cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f (UDPTrcSvc.dll)

IPs (15)

112.175.92.57
113.114.117.122
128.200.115.228
137.139.135.151
181.39.135.126
186.169.2.237
197.211.212.59
21.252.107.198
26.165.218.44
47.206.4.145
70.224.36.194
81.94.192.10
81.94.192.147
84.49.242.125
97.90.44.200

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Leave a Comment
Share
Published by
Balaji
Tags: computer securityCyber Security NewsDHSFBIMalware
6 years ago

Recent Posts

New PayPal Phishing Abusing Microsoft365 Domains for Sophisticated Attacks

A new and sophisticated phishing scam has been uncovered, leveraging Microsoft 365 domains to trick…

3 hours ago

APT32 Hacker Group Attacking Cybersecurity Professionals Poisoning GitHub

The malicious Southeast Asian APT group known as OceanLotus (APT32) has been implicated in a…

4 hours ago

Malicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Malicious packages "solanacore," "solana login," and "walletcore-gen" on npmjs target Solana developers with Windows trojans…

6 hours ago

New Great Morpheus Hacker Group Claims Hacking Into Arrotex Pharmaceuticals And PUS GmbH

A Data Leak Site (DLS) belonging to a new extortion group named Morpheus, which has…

6 hours ago

Green Bay Packers Store Hacked – Thousands of Credit Cards Data Stolen

The Green Bay Packers, Inc. has confirmed that its online merchandise store was hacked, leading…

6 hours ago

Is this Website Safe: How to Check Website Safety – 2025

is this website safe? In this digital world, Check a website is safe is the…

6 hours ago