HOPLIGHT Malware Report: What is HOPLIGHT and How Does it Work?

HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government to collect machine information, exfiltrate data, and launch commands. The malware has also been observed connecting outbound over TCP port 443.

HOPLIGHT Malware Capabilities

\nHOPLIGHT may use a number of techniques to steal data or exfiltrate it over an existing command and control channel. These include encoding data into the normal communications channel using the same protocol as command and control communications, using a connection proxy to direct traffic, or abusing the Windows service control manager to execute malicious commands. HOPLIGHT may also make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

• The HOPLIGHT malware may steal data by exfiltrating it over an existing command and control channel. The stolen data is encoded into the normal communications channel using the same protocol as command and control communications. Additionally, HOPLIGHT may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. This information may be used to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
• The HOPLIGHT malware may use proxies or port redirection to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. HOPLIGHT may also abuse the Windows service control manager to execute malicious commands or payloads.
• HOPLIGHT is a malware that may interact with the Windows Registry to gather information about the system, configuration, and installed software. It may also \"pass the hash\" using stolen password hashes to move laterally within an environment, bypassing normal system access controls.
• The Hoplight malware may gather system time and/or time zone information from a local or remote system, and may also abuse Windows Management Instrumentation to execute malicious commands and payloads. Hoplight may also inject code into processes in order to evade process-based defenses and possibly elevate privileges.
• HOPLIGHT is a malware that may disable or modify system firewalls in order to bypass controls limiting network usage. It may also use fallback or alternate communication channels if the primary channel is compromised or inaccessible. Finally, it may attempt to extract credential material from the Security Account Manager database.

Ways to Mitigate HOPLIGHT Malware Attacks

• HOPLIGHT malware attacks can be mitigated by analyzing network data for unusual data flows, and by analyzing packet contents to detect communications that do not follow the expected protocol behavior. Additionally, system and network discovery techniques can help identify unusual activity that could be part of the HOPLIGHT malware attack.
• HOPLIGHT malware attacks can be prevented by analyzing network data for unusual data flows, and by checking for changes to service Registry entries and command line invocations of tools that could modify services. These changes should not correlate with known software or patch cycles, as this may be indicative of malicious activity.
• HOPLIGHT can be mitigated by restricting the usage of the Windows command shell, analyzing packet contents, and identifying unusual network data flows. System and network discovery techniques can also help to identify potential HOPLIGHT activity.
• HOPLIGHT malware attacks can be mitigated by identifying unusual remote logins and NTLM LogonType 3 authentications that are not associated with a domain login. Additionally, changes to the Registry and startup folder that do not correlate with known software, patch cycles, etc. may indicate malicious activity. If a change to a service-related entry occurs, it will likely be followed by a local or remote service start or restart to execute the file.
• HOPLIGHT malware can be mitigated by monitoring network traffic for WMI connections and process monitoring to capture command-line arguments of \"wmic\". Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.
• Monitoring processes and command-line arguments to see if firewalls are disabled or modified; by analyzing network data for uncommon data flows; and by hash dumpers opening the Security Accounts Manager on the local file system or creating a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes.