HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.[1]

ID: S0376
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceHOPLIGHT can launch cmd.exe to execute commands on the system. [1]
EnterpriseT1043Commonly Used PortHOPLIGHT has connected outbound over TCP port 443. [1]
EnterpriseT1090Connection ProxyHOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators. [1]
EnterpriseT1003Credential DumpingHOPLIGHT has the capability to harvest credentials and passwords. [1]
EnterpriseT1001Data ObfuscationHOPLIGHT has utilized Zlib compression to obfuscate the communications payload. [1]
EnterpriseT1089Disabling Security ToolsHOPLIGHT has modified the firewall using netsh. [1]
EnterpriseT1041Exfiltration Over Command and Control ChannelHOPLIGHT has used its C2 channel to exfiltrate data. [1]
EnterpriseT1008Fallback ChannelsHOPLIGHT has multiple C2 channels in place in case one fails. [1]
EnterpriseT1083File and Directory DiscoveryHOPLIGHT has been observed enumerating system drives and partitions. [1]
EnterpriseT1112Modify RegistryHOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system. [1]
EnterpriseT1075Pass the HashHOPLIGHT has been observed loading several APIs associated with Pass the Hash. [1]
EnterpriseT1055Process InjectionHOPLIGHT has injected into running processes. [1]
EnterpriseT1012Query RegistryA variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\CurrentControlSet\Control\Lsa Name.[1]
EnterpriseT1105Remote File CopyHOPLIGHT has the ability to connect to a remote host in order to upload and download files. [1]
EnterpriseT1035Service ExecutionHOPLIGHT has used svchost.exe to execute a malicious DLL .[1]
EnterpriseT1082System Information DiscoveryHOPLIGHT has been observed collecting victim machine information like OS version, drivers, volume information and more.[1]
EnterpriseT1124System Time DiscoveryHOPLIGHT has been observed collecting system time from victim machines.[1]
EnterpriseT1065Uncommonly Used PortHOPLIGHT has used uncommon TCP "high port" to "high port" communication. [1]
EnterpriseT1047Windows Management InstrumentationHOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository. [1]


Groups that use this software:

Lazarus Group