This report is about the HOPLIGHT Trojan and the recently released analysis which was conducted by multiple United States government agencies that were released on the US Cert website. This malware is a backdoor used to steal sensitive data and modify infected hosts. The delivery method isn’t discussed in the U.S. government report. The threat actor behind the Trojan is referred to by many different names, but in government circles, they’re called HIDDEN COBRA and they’re based out of the DPRK (North Korea).
The HOPLIGHT trojan is used to take the following actions against infected hosts:
The analysis was performed by the following government agencies: FBI (Federal Bureau of Investigation), DOD (Department of Defense), and DHS (Department of Homeland Security). The sample size is varied to include twenty different malware samples. Some of the files (16) are used to start and maintain proxy connections back to the attacker’s command & control servers. These select “proxy networking” samples utilize valid SSL/TLS certificates to generate fake TLS handshakes to hide their activities with the bad actor’s command & control infrastructure.
Note: the enumeration process used by this malware involves checking the operating system version, listing the available system/network drives, pulling of system metrics, and much more.
The certificates being used mostly come from the domain naver[.]com which is a massive Korean search engine. This is strictly for the purpose of securing communications between the bad actor’s servers and the infected host. The servers require that these samples respond to the initial queries for a key found in the PolarSSL library. PolarSSL is the set of keys used by both naver[.]com and the malware itself.
Note: one sample uses a public certificate from google[.]com meaning that there’s some variation in the certificates used.
May lead to unwanted network traffic, loss of sensitive data, unwanted system changes, and the further compromise of already infected systems. If allowed enough time, a foreign adversary could be able to gain valuable intelligence about your environment.
Some remediation steps can also be found in the US Cert report linked below.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by our own CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.