DHS and FBI Uncovered North Korean Government Owned Hoplight Malware in Government Network

DHS and FBI discovered a new sophisticated malware called “Hoplight” which is operated by the North Korean Government as Hidden Cobra spotted on U.S government network.

This sophisticated malware variant used by the North Korean government to perform various cyber attack that targets various organization and Governments.

Researchers discovered nine malicious executable files that is used by attackers to steal the sensitive data from the targeted network.

Out of nine, seven of these files are proxy applications that deployed by threat actors to mask traffic between the malware and the remote operators.

These proxies have an ability to fake TLS handshake sessions using valid public SSL certificates to establish a secure connection with the remote attackers to perform further operation.

According to US CERT, One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates.

Hoplight Malware Infection Process

Initially Trojan attempted to connect with its command and control server which is operating by the North Korean threat actors that drop 4 new files that contain IP addresses and SSL certificates.

New file artifacts referred as a weaponized PE32 executable, Once it executed on targeted system the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions.

During the beginning stage of the infection process, Hoplight malware performing following operations,

  • Read, Write, and Move Files
  • Enumerate System Drives
  • Create and Terminate Processes
  • Inject into Running Processes
  • Create, Start and Stop Services
  • Modify Registry Settings
  • Connect to a Remote Host
  • Upload and Download Files

This malware mainly abusing the public SSL certificate for secure communication to evade the security software detection.

” This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a variety of web services to clients around the world. “

During the execution process of this malware, it will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the malware.

” The malware will then attempt outbound SSL connections to 81.94.192.147 and 112.175.92.57. Both connection attempts are over TCP Port 443.
The two IP addresses above, as well as the IP addresses 181.39.135.126 and 197.211.212.59 are hard-coded into the malwar, ” FBI said.

You can also read the complete artifacts and various attempts to the target details here

Indicator of Compromise

Users or administrators should flag activity associated with the malware and the following IOC.

05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 (23E27E5482E3F55BF828DAB8855690…)

12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d (868036E102DF4CE414B0E6700825B3…)

2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 (5C3898AC7670DA30CF0B22075F3E8E…)

4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 (42682D4A78FE5C2EDA988185A34463…)

4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 (C5DC53A540ABE95E02008A04A0D56D…)

70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 (61E3571B8D9B2E9CCFADC3DDE10FB6…)

83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a (3021B9EF74c&BDDF59656A035F94FD…)

d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 (F8D26F2B8DD2AC4889597E1F2FD1F2…)

ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d (BE588CD29B9DC6F8CFC4D0AA5E5C79…)

Additional Files (4)

49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 (rdpproto.dll)

70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 (udbcgiut.dat)

96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 (MSDFMAPI.INI)

cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f (UDPTrcSvc.dll)

IPs (15)

112.175.92.57
113.114.117.122
128.200.115.228
137.139.135.151
181.39.135.126
186.169.2.237
197.211.212.59
21.252.107.198
26.165.218.44
47.206.4.145
70.224.36.194
81.94.192.10
81.94.192.147
84.49.242.125
97.90.44.200

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

1 day ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

1 day ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

1 day ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

1 day ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

1 day ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

1 day ago