On April 10, 2019 the US Department of Homeland Security (DHS) released a Malware Analysis Report (MAR-10135536-8) which detailed the trojan HopLight. HopLight has been linked to different North Korean (DPRK) campaigns also known as the Lazarus Group. The CB Threat Analysis Unit (TAU) has continued to track this group and different malware that was used in their campaigns. There is a substantial amount of code reused in these samples, which matches with previous samples. Specifically the manner in which APIs are dynamically are loaded, network connections are initiated as well as cryptographic functions. IDA Pro BinDiff plugin indicated that the majority of samples provided in this report were 85% similar (the x64 version was ~72% similar).
Behavior Summary
The DHS report on the HopLight variants does not state how attackers may have initially comprised the systems where this malware would be located. It should also be noted that many of these samples were detected with existing feeds and queries, and would have been terminated by previously recommended rules. The samples vary in compilation date, however it is likely that future variants will continue to demonstrate the same type of characteristics that are seen in these variants as well malware previously used by the Lazarus group. Many of the samples dynamically load APIs, as well as create or modify .dat or .dll files in specific locations on the compromised system. Additionally, these variants inject code into or modify processes, as well as making network connections to different Command and Control (C2) sites. An example of the TTPs generated for this family are listed in the images below.
The below images are examples of process trees that are created for 64-bit and 32-bit versions (respectively) of variants belonging to the HopLight family.
MITRE ATT&CK TIDs
| TID | Tactic | Description |
| T1055 | Process Injection | Code injected into memory |
| T1134 | Access Token Manipulation | Samples have capabilities to manipulate access tokens |
| T1107 | File Deletion | The HopLight variants have the ability to create and delete files on the infected system |
| T1043 | Commonly Used Ports | The Hoplight variants will reach out to C2s over 443 |
| T1024 | Custom Cryptographic Protocol | The HopLight variants uses a modified version of what appears to be the Caracachs algorithm |
| T1002 | Data Compressed | The HopLight variants have the ability to compress data |
| T1022 | Data Encrypted | Data transmitted to the C2 can be encrypted by variants |
| T1005 | Data from Local System | The HopLight variants will gather system information and transmit that back to the C2 |
| T1057 | Process Discovery | The HopLight variants have the ability to enumerate processes, as well as killing processes |
| T1105 | Remote File Copy | The HopLight variants have the ability to download files to the infected system, and execute if binaries |
| T1065 | Uncommonly Used Ports | The Hoplight variants will reach out to C2s over 7443 |
If you are a Carbon Black customer looking to learn how CB products defend against this attack, click here.
Indicators of Compromise (IOCs)
| Indicator | Type | Context |
| 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461
23e27e5482e3f55bf828dab885569033 |
SHA256
MD5 |
Malware file |
| 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d
868036e102df4ce414b0e6700825b319 |
SHA256
MD5 |
Malware file |
| 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
5c3898ac7670da30cf0b22075f3e8ed6 |
SHA256
MD5 |
Malware file |
| 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
42682d4a78fe5c2eda988185a344637d |
SHA256
MD5 |
Malware file |
| 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818
c5dc53a540abe95e02008a04a0d56d6c |
SHA256
MD5 |
Malware file |
| 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
61e3571b8d9b2e9ccfadc3dde10fb6e1 |
SHA256
MD5 |
Malware file |
| 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a
3021b9ef74c7bddf59656a035f94fd08 |
SHA256
MD5 |
Malware file |
| d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39
f8d26f2b8dd2ac4889597e1f2fd1f248 |
SHA256
MD5 |
Malware file |
| ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
be588cd29b9dc6f8cfc4d0aa5e5c79aa |
SHA256
MD5 |
Malware file |
| 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
42682d4a78fe5c2eda988185a344637d |
SHA256
MD5 |
Malware file |
| 112.175.92.57 | IP Address | C2 |
| 113.114.117.122 | IP Address | C2 |
| 137.139.135.151 | IP Address | C2 |
| 181.39.135.126 | IP Address | C2 |
| 186.169.2.237 | IP Address | C2 |
| 197.211.212.59 | IP Address | C2 |
| 21.252.107.198 | IP Address | C2 |
| 26.165.218.44 | IP Address | C2 |
| 47.206.4.145 | IP Address | C2 |
| 70.224.36.194 | IP Address | C2 |
| 81.94.192.10 | IP Address | C2 |
| 81.94.192.147 | IP Address | C2 |
| 84.49.242.125 | IP Address | C2 |
| 97.90.44.200 | IP Address | C2 |
| Yara Rules |
rule hoplight_RAT_2019_Q2 : TAU APT DPRK
{
meta:
author = "CarbonBlack Threat Research" // jmyers
date = "2019-April-10"
link = "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
TID = "T1002, T1005, T1022, T1024, T1043, T1055, T1057, T1065, T1105, T1107, T1134"
description = "HopLight DHS MAR-19-100A"
rule_version = 1
yara_version = "3.7.0"
exemplar_hashes = "83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a
strings:
$s1 = "udbcgiut.dat" wide ascii
$s2 = "master secret" wide ascii
$s3 = "key expansion" wide ascii
$s4 = {B8 CA 18 17} //return code sucess
$s5 = {08 AB DF BC} //return code error
$s6 = {00 BB 01 [16-24] 00 13 1D} //TCP Ports
$s7 = {68 C2 B6 00 00} //hard coded response
$api1 = "accept"
$api2 = "bind"
$api3 = "ChangeServiceConfig2"
$api4 = "closesocket"
$api5 = "connect"
$api6 = "CreateEnvironmentBlock"
$api7 = "CreateFile"
$api8 = "CreateMutex"
$api9 = "CreateProcessAsUser"
$api10 = "CreateService"
$api11 = "CreateThread"
$api12 = "CreateToolhelp32Snapshot"
$api13 = "DestroyEnvironmentBlock"
$api14 = "DeviceIoControl"
$api15 = "DuplicateTokenEx"
$api16 = "FindClose"
$api17 = "FindFirstFile"
$api18 = "FindNextFile"
$api19 = "FreeLibrary"
$api20 = "GetAdaptersInfo"
$api21 = "GetCurrentDirectory"
$api22 = "GetCurrentProcess"
$api23 = "GetDiskFreeSpaceEx"
$api24 = "GetDriveType"
$api25 = "GetExitCodeProcess"
condition:
4 of ($s*)
and uint16(0) == 0x5a4d
and all of ($api*)
}
rule hoplight_dropper_RAT_2019_Q2 : TAU APT DPRK
{
meta:
author = "CarbonBlack Threat Research" // jmyers
date = "2019-April-10"
link = "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
TID = "T1002, T1005, T1022, T1024, T1043, T1055, T1057, T1065, T1105, T1107, T1134"
description = "HopLight Dropper DHS MAR-19-100A"
rule_version = 1
yara_version = "3.7.0"
exemplar_hashes = "12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d"
strings:
$s1 = "udbcgiut.dat"
$s2 = "rdpproto.dll"
$s3 = {3D 12 08 00 00} //hard coded error code
$s4 = {6C 00 73 00} //lsass sting stack for injection
$s5 = {61 00 73 00} //lsass sting stack for injection
$s6 = "Process32First"
$s7 = "WriteFile"
$s8 = "CreateToolhelp32Snapshot"
$s9 = "LocalAlloc"
$s10 = "SetFilePointer"
$s11 = "VirtualAlloc"
$mz1 = {4D 5A 90}
condition:
10 of ($s*)
and $mz1 in (60000 .. filesize)
and uint16(0) == 0x5a4d
}
|
