HOPLIGHT Trojan Overview
This report is about the HOPLIGHT Trojan and the recently released analysis which was conducted by multiple United States government agencies that was released on the US Cert website. This malware is a backdoor used to steal sensitive data and modify infected hosts. The delivery method isn’t discussed in the U.S. government report. The threat actor behind the Trojan is referred to by many different names, but in government circles they’re called HIDDEN COBRA and they’re based out of the DPRK (North Korea).
Tactics, Techniques, and Procedures
The HOPLIGHT trojan is used to take the following actions against infected hosts:
- File Handling (read, write, move)
- Host Enumeration
- Process manipulation (creation, termination, and injection)
- Windows Registry Key Modification
- Contacts Command & Control infrastructure
- Uploads and Downloads files
The analysis was performed by the following government agencies: FBI (Federal Bureau of Investigation), DOD (Department of Defense), and DHS (Department of Homeland Security). The sample size is varied to include twenty different malware samples. Some of the files (16) are used to start and maintain proxy connections back to the attacker’s command & control servers. These select “proxy networking” samples utilize valid SSL/TLS certificates to generate fake TLS handshakes to hide their activities with the bad actor’s command & control infrastructure.
Note: the enumeration process used by this malware involves checking the operating system version, listing the available system/network drives, pulling of system metrics, and much more.
The certificates being used mostly come from the domain naver[.]com which is a massive Korean search engine. This is strictly for the purpose of securing communications between the bad actor’s servers and the infected host. The servers require that these samples respond to the initial queries for a key found in the PolarSSL library. PolarSSL is the set of keys used by both naver[.]com and the malware itself.
Note: one sample uses a public certificate from google[.]com meaning that there’s some variation in the certificates used.
May lead to unwanted network traffic, loss of sensitive data, unwanted system changes, and the further compromise of already infected systems. If allowed enough time, a foreign adversary could be able to gain valuable intelligence about your environment.
- Highly Encouraged: Download the indicators of compromise from either the US Cert report link or the IBM X-Force Exchange link
- Scan your endpoints [if possible] for any signs of successful compromise
- Critical: Report any successful compromise to either the FBI Cywatch team or the CISA (Cybersecurity and Infrastructure and Security Agency) as soon as possible
- Consider implementing strong process monitoring using tools like Windows Sysinternal
LogRhythm SIEM Users:
- Check to ensure that the AIE: C2: Abnormal Process Activity rule is turned on and working properly
- Look for any suspicious SSL/TLS connections involving naver[.]com or PolarSSL as these may be signs of a potential compromise
- Tools or appliances with deep packet inspection may be an excellent way to monitor for suspicious network traffic.
Some remediation steps can also be found in the US Cert report linked below.
- US Cert Report: https://www.us-cert.gov/ncas/analysis-reports/ar19-304a
- Dark Reading Article: https://www.darkreading.com/threat-intelligence/new-hoplight-malware-appears-in-latest-north-korean-attacks-say-dhs-fbi/d/d-id/1334406
- MITRE Description: https://attack.mitre.org/groups/G0032
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by our own CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.