'Hoplight' Trojan can issue valid SSL certificates

By Dylan Bushell-Embling
Tuesday, 16 April, 2019

The US Computer Emergency Readiness Team has warned of a newly discovered Trojan that appears to be linked to North Korean state-sponsored attackers.

The new Trojan variant, named Hoplight, has allegedly been traced to the North Korean advanced persistent threat group that CERT calls Hidden Cobra.

Hidden Cobra — also known as Lazarus — is the group blamed for the WannaCry ransomware attacks in 2017, as well as the Sony Pictures breach of 2014 in advance of the release of The Interview, a satirical comedy critical of the North Korean regime.

While CERT stated that the file has been spotted in the wild, it has not provided any details of the victims or targets of the Trojan.

A security alert issued by CERT analyses nine malicious executable files associated with Hoplight, including seven that are proxy applications designed to mask traffic between the malware and the command and control server.

These proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates from South Korea’s largest search engine, Naver.

The remaining files comprise a public SSL certificate with an embedded malicious payload that appears to be encoded with a password or key, as well as a file that attempts outbound connections and drops four additional files primarily containing IP addresses and SSL certificates.

Once it infects a system, Hoplight is designed to collect key information about compromised machines. The Trojan is also capable of reading, writing and moving files, creating and terminating processes, starting and stopping services, modifying registry settings, and uploading and downloading files.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued the standard advice for organisations seeking to defend against the new Trojan threat, including keeping patches and antivirus engines up to date, disabling unnecessary services such as printer and file sharing services, and scanning all software and all files downloaded from the internet.

Image credit: ©iStockphoto.com/Brian Jackson

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.