US government warned about North Korea’s Hoplight malware

The US government issued a security warning that North Korean hackers used a new type of malware, Hoplight which is a very powerful backdoor Trojan. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) malware analysts jointly released the report, arguing that HOPLIGHT malware belongs to the North Korean hacker organization, HIDDEN COBRA.

The malware collects information on the infected system and sends the data to a remote server. It can also receive commands to control the server and perform various operations on the infected host. Reports show that Hoplight can read, write and move files; enumerate system drivers; create and terminate processes; inject code into running processes; create, start and stop services; modify registry settings; connect to remote hosts; upload and download the file. In addition, the malware uses a built-in proxy application to hide its communication with the remote command and control server.

Analysts at DHS and FBI said that Hoplight malware can to create “fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. When executed the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions.

An official of the Department of Homeland Security’s Cyber ​​Security and Infrastructure Security Agency (CISA) said that the variants of the HOPLIGHT malware are brand new and have not been publicly released before. There are many signs of using HOPLIGHT on a global scale.