DHS and FBI discovered a new sophisticated malware called “Hoplight” which is operated by the North Korean Government as Hidden Cobra spotted on U.S government network.
This sophisticated malware variant used by the North Korean government to perform various cyber attack that targets various organization and Governments.
Researchers discovered nine malicious executable files that is used by attackers to steal the sensitive data from the targeted network.
Out of nine, seven of these files are proxy applications that deployed by threat actors to mask traffic between the malware and the remote operators.
These proxies have an ability to fake TLS handshake sessions using valid public SSL certificates to establish a secure connection with the remote attackers to perform further operation.
According to US CERT, One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates.
Hoplight Malware Infection Process
Initially Trojan attempted to connect with its command and control server which is operating by the North Korean threat actors that drop 4 new files that contain IP addresses and SSL certificates.
New file artifacts referred as a weaponized PE32 executable, Once it executed on targeted system the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions.
During the beginning stage of the infection process, Hoplight malware performing following operations,
- Read, Write, and Move Files
- Enumerate System Drives
- Create and Terminate Processes
- Inject into Running Processes
- Create, Start and Stop Services
- Modify Registry Settings
- Connect to a Remote Host
- Upload and Download Files
This malware mainly abusing the public SSL certificate for secure communication to evade the security software detection.
” This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a variety of web services to clients around the world. “
During the execution process of this malware, it will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the malware.
” The malware will then attempt outbound SSL connections to 81.94.192.147 and 112.175.92.57. Both connection attempts are over TCP Port 443.
The two IP addresses above, as well as the IP addresses 181.39.135.126 and
You can also read the complete artifacts and various attempts to the target details here
Indicator of Compromise
Users or administrators should flag activity associated with the malware and the following IOC.
05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 (23E27E5482E3F55BF828DAB8855690…)
12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d (868036E102DF4CE414B0E6700825B3…)
2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 (5C3898AC7670DA30CF0B22075F3E8E…)
4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 (42682D4A78FE5C2EDA988185A34463…)
4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 (C5DC53A540ABE95E02008A04A0D56D…)
70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 (61E3571B8D9B2E9CCFADC3DDE10FB6…)
83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a (3021B9EF74c&BDDF59656A035F94FD…)
d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 (F8D26F2B8DD2AC4889597E1F2FD1F2…)
ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d (BE588CD29B9DC6F8CFC4D0AA5E5C79…)
Additional Files (4)
49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 (rdpproto.dll)
70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 (udbcgiut.dat)
96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 (MSDFMAPI.INI)
cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f (UDPTrcSvc.dll)
IPs (15)
