HOPLIGHT Trojan

The United States Department of Homeland Security and FBI have reported the HOPLIGHT Trojan developed by an advanced persistent threat group based in North Korea that has been referred to as “Lazarus.” Data about the HOPLIGHT Trojan was released online via the MAR AR19-100A advisory, which detailed aspects of the HOPLIGHT Trojan attack and linked it to the Lazarus group, also known as HIDDENCOBRA, ZINC, Guardians of Peace, or Nickel Academy. This advisory was released by the United States Government to help PC security researchers and network administrators protect themselves from attacks linked to the North Korean government.

How the Criminals Use the HOPLIGHT Trojan

The government report about the HOPLIGHT Trojan included information on how to mitigate the attack and included a detailed analysis of nine different variants of the HOPLIGHT Trojan. Seven of these are proxy applications designed to hide the traffic between the HOPLIGHT Trojan and its command and control servers. This aspect of the HOPLIGHT Trojan attack allowed the HIDDEN COBRA group to hide their identity and location when carrying out the HOPLIGHT Trojan attacks. Further information from the advisory states that the files analyzed by malware researchers include a public SSL certificate and the actual payload of the HOPLIGHT Trojan attack. This payload file is encoded with a password or key, making it more difficult to study. Once the HOPLIGHT Trojan has been installed, it is designed to first collect information about the infected computer and relay it to its command and control servers. This information includes the operating system and version, volume information about the infected device, its drives, and other basic data. Once the HOPLIGHT Trojan has carried out its full attack, it can carry out a wide variety of tasks on the infected computer. The following is excerpted from the FBI and Department of Homeland Security advisory, listing the capabilities of the HOPLIGHT Trojan:

'---Begin Malware Capability---

---End Malware Capability---'

It is not hard to imagine the applications of being able to carry out the above operations on an infected computer. Since HOPLIGHT Trojan is based in North Korea, it is almost certain that it is state sponsored, meaning that the criminals responsible for HOPLIGHT Trojan attacks will have significant resources at their disposal, many more than the average hacker or malware developer. However, it is unlikely that the HOPLIGHT Trojan attack will actually be used against individual computer users, since it is more likely that higher profile targets such as corporations and government agencies and individuals would be the target of these kinds of attacks. It is clear that HOPLIGHT Trojan attacks are designed for espionage in mind, although they could also be potentially used to cause disruption and attack infrastructure, both physical or financial.

Protecting Devices from Threats Like the HOPLIGHT Trojan

Although there is no question that the HOPLIGHT Trojan is actually a high profile attack, the measures used to protect devices and networks from these kinds of attacks are not different from what would be used in most attacks. A security program that is fully up to date and applying the latest security patches are both essential to keeping a device protected from the HOPLIGHT Trojan. It is also important to avoid spear phishing attacks and other tactics used to deliver these kinds of threats. This means that computer users must learn to spot common scams and react appropriately, avoiding shady online content and unsolicited email attachments, which are common methods for delivering the HOPLIGHT Trojan. It is also important for corporations and government agencies to train employees in computer security to prevent social engineering scams that might rely on victims disclosing passwords or other important information without being aware of doing so.