Newly discovered HOPLIGHT backdoor trojan linked to North Korea-based HIDDEN COBRA group

• When executed, the malware is capable of collecting system information that includes the OS version, volume information and system time.
• The malware uses a built-in proxy application to mask its communication with the remote C2 server.

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) has released a security alert about a new malware strain named HOPLIGHT. The backdoor trojan has been linked to HIDDEN COBRA, the North Korea-based hacking group.

What’s new - According to the joint report released by DHS and FBI, there are nine files associated with the malware. These nine files include digital signatures and none of them were previously available on VirusTotal.

“Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA,” said the official website of DHS.

The advisory also notes that “One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files."

What are its capabilities - When executed, the malware is capable of collecting system information that includes the OS version, volume information and system time.

The other capabilities of HOPLIGHT trojan include:

• Reading, writing and moving files;
• Calculating system drives;
• Creating and terminating processes;
• Injecting code into running processes;
• Creating, starting and killing services;
• Modifying registry settings;
• Connecting to a remote host;
• Uploading and downloading files.

The malware also uses a built-in proxy application to mask its communication with the remote C2 server.