Itpa webheader

'Hoplight' Trojan can issue valid SSL certificates

By Dylan Bushell-Embling
Tuesday, 16 April, 2019

'Hoplight' Trojan can issue valid SSL certificates

The US Computer Emergency Readiness Team has warned of a newly discovered Trojan that appears to be linked to North Korean state-sponsored attackers.

The new Trojan variant, named Hoplight, has allegedly been traced to the North Korean advanced persistent threat group that CERT calls Hidden Cobra.

Hidden Cobra — also known as Lazarus — is the group blamed for the WannaCry ransomware attacks in 2017, as well as the Sony Pictures breach of 2014 in advance of the release of The Interview, a satirical comedy critical of the North Korean regime.

While CERT stated that the file has been spotted in the wild, it has not provided any details of the victims or targets of the Trojan.

A security alert issued by CERT analyses nine malicious executable files associated with Hoplight, including seven that are proxy applications designed to mask traffic between the malware and the command and control server.

These proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates from South Korea’s largest search engine, Naver.

The remaining files comprise a public SSL certificate with an embedded malicious payload that appears to be encoded with a password or key, as well as a file that attempts outbound connections and drops four additional files primarily containing IP addresses and SSL certificates.

Once it infects a system, Hoplight is designed to collect key information about compromised machines. The Trojan is also capable of reading, writing and moving files, creating and terminating processes, starting and stopping services, modifying registry settings, and uploading and downloading files.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued the standard advice for organisations seeking to defend against the new Trojan threat, including keeping patches and antivirus engines up to date, disabling unnecessary services such as printer and file sharing services, and scanning all software and all files downloaded from the internet.

Image credit: © Jackson

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to

Related Articles

Best of 2019: Getting to grips with privacy obligations

Across the festive season we'll be reprising some of our best articles from 2019. Today, a...

Best of 2019: Cloud customers still making basic security mistakes

Across the festive season we'll be reprising some of our best articles from 2019. Today we...

The highs and lows of IT in 2019

Implementation of legislation, ongoing security challenges, the nbn, skills visas and many other...

  • All content Copyright © 2020 Westwick-Farrow Pty Ltd