HOPLIGHT

HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.[1]

ID: S0376
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

HOPLIGHT can launch cmd.exe to execute commands on the system. [1]

Enterprise T1043 Commonly Used Port

HOPLIGHT has connected outbound over TCP port 443. [1]

Enterprise T1090 Connection Proxy

HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators.
[1]

Enterprise T1003 Credential Dumping

HOPLIGHT has the capability to harvest credentials and passwords. [1]

Enterprise T1001 Data Obfuscation

HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.
[1]

Enterprise T1089 Disabling Security Tools

HOPLIGHT has modified the firewall using netsh. [1]

Enterprise T1041 Exfiltration Over Command and Control Channel

HOPLIGHT has used its C2 channel to exfiltrate data. [1]

Enterprise T1008 Fallback Channels

HOPLIGHT has multiple C2 channels in place in case one fails. [1]

Enterprise T1083 File and Directory Discovery

HOPLIGHT has been observed enumerating system drives and partitions. [1]

Enterprise T1112 Modify Registry

HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system. [1]

Enterprise T1075 Pass the Hash

HOPLIGHT has been observed loading several APIs associated with Pass the Hash. [1]

Enterprise T1055 Process Injection

HOPLIGHT has injected into running processes. [1]

Enterprise T1012 Query Registry

A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\CurrentControlSet\Control\Lsa Name.[1]

Enterprise T1105 Remote File Copy

HOPLIGHT has the ability to connect to a remote host in order to upload and download files. [1]

Enterprise T1035 Service Execution

HOPLIGHT has used svchost.exe to execute a malicious DLL .[1]

Enterprise T1082 System Information Discovery

HOPLIGHT has been observed collecting victim machine information like OS version, drivers, volume information and more.[1]

Enterprise T1124 System Time Discovery

HOPLIGHT has been observed collecting system time from victim machines.[1]

Enterprise T1065 Uncommonly Used Port

HOPLIGHT has used uncommon TCP "high port" to "high port" communication. [1]

Enterprise T1047 Windows Management Instrumentation

HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository. [1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [1]

References