The Department of Homeland Security is warning enterprises about a newly discovered trojan that they say is being used by North Korean APT actors. The malware is complex and multi-faceted and uses a public SSL certificate to help make its traffic appear legitimate.
In a new report, DHS and the FBI attribute the malware to the group that they call Hidden Cobra, which is a kind of catch-all name for North Korean actors associated with the country’s government. The United States government has publicly called out Hidden Cobra activity and tools on several occasions, and the new malware that DHS analyzed has a broad range of capabilities and functions designed to keep it hidden on compromised systems. Hoplight comprises 20 separate executable files, 16 of which are proxies that disguise traffic between the operators and the malware on target machines.
“The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files,” the DHS analysis says.
Hoplight has a number of typical trojan capabilities, and once it’s installed it sets about collecting information about the system and enumerates the drives and partitions. The malware can read, write, and move files, create and kill processes and services, edit registry settings, and upload and download files to and from a remote server. Hoplight also comes with four hardcoded IP addresses for the command-and-control servers and once the malware executes, it tries to perform a TLS handshake with one of those servers. After the handshake is complete, Hoplight uses a custom encryption scheme to secure the traffic between the server and the compromised machine.
“The malware is capable of opening and binding to a socket. The malware uses a public SSL certificate for secure communication. This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a variety of web services to clients around the world,” the analysis says.
“The malware uses the default certificates/private keys that come with PolarSSL. These are generally used for testing purposes only. Additionally the C2 IPs that act as the server for the TLS handshake require the malware to respond back with a client key. This key is also a default key found within the PolarSSL libraries.”
It’s common for malware, particularly tools developed by high-level actors, to use valid SSL certificates to help secure their communications. The certificate also helps lend an air of legitimacy to the tool if the victim happens to discover it.
Hoplight targets Windows systems, both 32-bit and 64-bit versions. The DHS analysis does not provide any details on how Hoplight is installed on target systems or what its distribution method is.
CC By SA license photo by Dinesh Valke.