Currently viewing ATT&CK v10.1 which was live between October 21, 2021 and April 24, 2022. Learn more about the versioning system or see the live site.
  1. Home
  2. Software
  3. HOPLIGHT

HOPLIGHT

HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.[1]

ID: S0376
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 19 April 2019
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

HOPLIGHT can launch cmd.exe to execute commands on the system.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

HOPLIGHT has utilized Zlib compression to obfuscate the communications payload. [1]

Enterprise T1041 Exfiltration Over C2 Channel

HOPLIGHT has used its C2 channel to exfiltrate data.[1]

Enterprise T1008 Fallback Channels

HOPLIGHT has multiple C2 channels in place in case one fails.[1]

Enterprise T1083 File and Directory Discovery

HOPLIGHT has been observed enumerating system drives and partitions.[1]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

HOPLIGHT has modified the firewall using netsh.[1]

Enterprise T1105 Ingress Tool Transfer

HOPLIGHT has the ability to connect to a remote host in order to upload and download files.[1]

Enterprise T1112 Modify Registry

HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.[1]

Enterprise T1571 Non-Standard Port

HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.[1]
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

HOPLIGHT has the capability to harvest credentials and passwords from the SAM database.[1]

Enterprise T1055 Process Injection

HOPLIGHT has injected into running processes.[1]

Enterprise T1090 Proxy

HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators.[1]

Enterprise T1012 Query Registry

A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\CurrentControlSet\Control\Lsa Name.[1]
Enterprise T1082 System Information Discovery

HOPLIGHT has been observed collecting victim machine information like OS version, drivers, volume information and more.[1]
Enterprise T1569 .002 System Services: Service Execution

HOPLIGHT has used svchost.exe to execute a malicious DLL .[1]
Enterprise T1124 System Time Discovery

HOPLIGHT has been observed collecting system time from victim machines.[1]
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

HOPLIGHT has been observed loading several APIs associated with Pass the Hash.[1]

Enterprise T1047 Windows Management Instrumentation

HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]
G0082 APT38

[2]

References

  1. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  1. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.