Register to stream ATT&CKcon 2.0 October 29-30


HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.[1]

ID: S0376
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface HOPLIGHT can launch cmd.exe to execute commands on the system. [1]
Enterprise T1043 Commonly Used Port HOPLIGHT has connected outbound over TCP port 443. [1]
Enterprise T1090 Connection Proxy HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators. [1]
Enterprise T1003 Credential Dumping HOPLIGHT has the capability to harvest credentials and passwords. [1]
Enterprise T1001 Data Obfuscation HOPLIGHT has utilized Zlib compression to obfuscate the communications payload. [1]
Enterprise T1089 Disabling Security Tools HOPLIGHT has modified the firewall using netsh. [1]
Enterprise T1041 Exfiltration Over Command and Control Channel HOPLIGHT has used its C2 channel to exfiltrate data. [1]
Enterprise T1008 Fallback Channels HOPLIGHT has multiple C2 channels in place in case one fails. [1]
Enterprise T1083 File and Directory Discovery HOPLIGHT has been observed enumerating system drives and partitions. [1]
Enterprise T1112 Modify Registry HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system. [1]
Enterprise T1075 Pass the Hash HOPLIGHT has been observed loading several APIs associated with Pass the Hash. [1]
Enterprise T1055 Process Injection HOPLIGHT has injected into running processes. [1]
Enterprise T1012 Query Registry A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\CurrentControlSet\Control\Lsa Name. [1]
Enterprise T1105 Remote File Copy HOPLIGHT has the ability to connect to a remote host in order to upload and download files. [1]
Enterprise T1035 Service Execution HOPLIGHT has used svchost.exe to execute a malicious DLL . [1]
Enterprise T1082 System Information Discovery HOPLIGHT has been observed collecting victim machine information like OS version, drivers, volume information and more. [1]
Enterprise T1124 System Time Discovery HOPLIGHT has been observed collecting system time from victim machines. [1]
Enterprise T1065 Uncommonly Used Port HOPLIGHT has used uncommon TCP "high port" to "high port" communication. [1]
Enterprise T1047 Windows Management Instrumentation HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository. [1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [1]