HOPLIGHT

Description

(US-CERT) This report provides analysis of twenty malicious executable files. Sixteen of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP addresses and SSL certificates.

Names

Name
HOPLIGHT
HANGMAN

Category

Malware

Type

• Tunneling

Information

• https://www.us-cert.gov/ncas/analysis-reports/ar20-045g
• https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea

Mitre Attack

• https://attack.mitre.org/software/S0376/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:HOPLIGHT

Other Information

Uuid

a2a00578-4e93-4833-acbc-25ace6e45504

Last Card Change

2020-05-13