North Korea (Lazarus Group): The FBI and DHS have issued a report detailing their findings after studying the HOPLIGHT trojan. According to the report, the trojan will collect information about the infected system and relay it back to a remote server. It is capable of receiving a number of commands for a command and control (C2) server. Those commands include being able to read, write, and move files, create and terminate processes, inject code into running processes, create, start, and stop services, modify registry settings, and upload and download files. HOPLIGHT is also able to use built-in proxies to generate fake TLS handshake sessions using valid public SSL certificates, which disguises network connections with malicious actors. According to the report, while the malware has been found to be part of a number of campaigns being carried out by Lazarus Group, HOPLIGHT’s use does not appear to be focused on a particular industry.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased