Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
Security. It’s in our DNA. It’s elemental, foundational. Something that an always-on, everything’s-IoT-connected world depends on.
Helping mid-to-enterprise organizations protect assets and manage risk is our only business. Our mission is to make our customers’ world a safer place so that they may thrive in an always-on, connected world.
Best-in-class technology from our partners... backed by service excellence from Avertium.
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
Microsoft Copilot for Security analyzes and synthesizes high volumes of security data which can help healthcare cybersecurity teams do more with less.
Dive into our resource hub and explore top
cybersecurity topics along with what we do
and what we can do for you.
This report is about the HOPLIGHT Trojan and the recently released analysis which was conducted by multiple United States government agencies that were released on the US Cert website. This malware is a backdoor used to steal sensitive data and modify infected hosts. The delivery method isn’t discussed in the U.S. government report. The threat actor behind the Trojan is referred to by many different names, but in government circles, they’re called HIDDEN COBRA and they’re based out of the DPRK (North Korea).
The HOPLIGHT trojan is used to take the following actions against infected hosts:
The analysis was performed by the following government agencies: FBI (Federal Bureau of Investigation), DOD (Department of Defense), and DHS (Department of Homeland Security). The sample size is varied to include twenty different malware samples. Some of the files (16) are used to start and maintain proxy connections back to the attacker’s command & control servers. These select “proxy networking” samples utilize valid SSL/TLS certificates to generate fake TLS handshakes to hide their activities with the bad actor’s command & control infrastructure.
Note: the enumeration process used by this malware involves checking the operating system version, listing the available system/network drives, pulling of system metrics, and much more.
The certificates being used mostly come from the domain naver[.]com which is a massive Korean search engine. This is strictly for the purpose of securing communications between the bad actor’s servers and the infected host. The servers require that these samples respond to the initial queries for a key found in the PolarSSL library. PolarSSL is the set of keys used by both naver[.]com and the malware itself.
Note: one sample uses a public certificate from google[.]com meaning that there’s some variation in the certificates used.
May lead to unwanted network traffic, loss of sensitive data, unwanted system changes, and the further compromise of already infected systems. If allowed enough time, a foreign adversary could be able to gain valuable intelligence about your environment.
Some remediation steps can also be found in the US Cert report linked below.
Supporting Documentation:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by our own CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.