Rewterz Threat Alert – North Korean HIDDEN COBRA Using HOPLIGHT Trojan

Severity

High

Analysis Summary

Security teams have identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. Sixteen of the detected files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. 

Below are the capabilities of this HOPLIGHT trojan: 

• Read, Write, and Move Files
• Enumerate System Drives
• Create and Terminate Processes
• Inject into Running Processes
• Create, Start and Stop Services
• Modify Registry Settings
• Connect to a Remote Host
• Upload and Download Files

Impact

• Unauthorized command execution
• Data exfiltration 
• Process disruption 

Indicators of Compromise

SHA-256

• 606c6000f36dc69fefc6df828e1ac9c5529a71a62b99f5df55463606c4c9689c
• 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695
• a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442
• fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac
• 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30
• 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39
• 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c
• 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f
• b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32
• 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790
• 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6
• fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5
• 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
• 44a93ea6e6796530bb3cf99555dfb3b1092ed8fb4336bb198ca15b2a21d32980
• 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818
• 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d
• ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
• 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
• 8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520
• 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
• 084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319
• 73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33
• ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09
• d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39
• 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
• 1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676
• 32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11
• c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8
• f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03
• b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101
• 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
• 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
• cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f
• b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9
• 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a
• 823d255d3dc8cbc402527072a9220e4c38655de1a3e55a465db28b55d3ac1bf8
• 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571
• 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461

Source IP

• 210[.]202[.]40[.]35
• 107[.]6[.]12[.]135
• 193[.]56[.]28[.]103
• 94[.]177[.]123[.]138
• 188[.]165[.]37[.]168
• 159[.]100[.]250[.]231
• 195[.]158[.]234[.]60
• 128[.]200[.]115[.]228
• 70[.]224[.]36[.]194
• 119[.]18[.]230[.]253
• 117[.]239[.]241[.]2
• 26[.]165[.]218[.]44
• 197[.]211[.]212[.]59
• 210[.]137[.]6[.]37
• 113[.]114[.]117[.]122
• 47[.]206[.]4[.]145
• 97[.]90[.]44[.]200
• 217[.]117[.]4[.]110
• 137[.]139[.]135[.]151
• 112[.]175[.]92[.]57
• 218[.]255[.]24[.]226
• 21[.]252[.]107[.]198
• 81[.]94[.]192[.]147
• 221[.]138[.]17[.]152
• 14[.]140[.]116[.]172
• 84[.]49[.]242[.]125
• 186[.]169[.]2[.]237
• 181[.]39[.]135[.]126
• 81[.]94[.]192[.]10

Remediation

• Block the threat indicators at their respective controls.
• Maintain up-to-date antivirus signatures and engines. 
• Keep operating system patches up-to-date. 
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication. 
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required. 
• Enforce a strong password policy and implement regular password changes. 
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known. 
• Disable unnecessary services on agency workstations and servers. 
• Scan for and remove suspicious e-mail attachments.