The U.S. government publishes details of North Korea's HOPLIGHT malware

DHS and FBI publish their sixteenth report on North Korean malware.


Today, the U.S. government has issued a security alert about a new strain of malware used by North Korean hackers called HOPLIGHT by the U.S. government.

The report, written by malware analysts from HIDDEN COBRA, the U.S. government's main governmental - supported hacking group for North Korea, is also referred to in News articles and cyber security reports as the Lazarus Group, and the Federal Investigative Bureau (FBI).
Trojan.Hoplight


SECURITY ALERT WARNS OF DANGEROUS BACKDOOR TROJAN

HOPLIGHT appears to be a very powerful backdoor Trojan according to the DHS-FBI alert. The malware collects data from the target device on infected systems and sends the data to a remote server. It can also receive orders from its C&C server and perform different operations on infected hosts.

According to DHS-FBI report, HOPLIGHT can:

  • Read, write, and move files
  • Enumerate system drives
  • Create and terminate processes
  • Inject code into running processes
  • Create, start, and stop services
  • Modify registry settings
  • Connect to a remote host
  • Upload and download files
The malware also uses an integrated proxy to mask its remote control and command server (C&C) communication. "Proxies can make false TLS handshake sessions with valid public SSL certificates and masking network connections with malicious remote actors," DHS and FBI analysts said.

Malware Analysis Report (AR19-100A)

Example Of Trojan.Hoplight include:


File Information
Size
240K
SHA-1
05ad5f346d0282e43360965373eb2a8d39735137
MD5
3021b9ef74c7bddf59656a035f94fd08
CRC-32
7fe2df72
File type
application/x-ms-dos-executable
First seen
2019-04-14













Posted by: at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)