North Korean Hidden Cobra hackers drop Hoplight Trojan

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about an ongoing Trojan malware campaign, believed to be launched by the North Korean government.

In conjunction with the Federal Bureau of Investigation and the US Department of Defense, CISA said the agencies had identified the Hoplight Trojan, which is a 32-bit Windows portable executable.

Hoplight collects system information about target computers when it runs.

Information collected includes operating system version, storage volumes including enumeration of drives and partitions, and the time.

Analysis by CISA showed that Hoplight can also read, write and move files, create and terminate system processes as well as injecting data into them.

The malware can also create, start and stop Windows services, and modify the Registry configuration database.

CISA observed that Hoplight can connect to remote network hosts and upload and download files to and from these.

A total of 22 internet hosts can be contacted by Hoplight, which comes in two variants currently, CISA noted.

Hoplight was first spotted in April this year, and uses a digital certificate from South Korean search engine Naver.com.

North Korea is accused by the US of an ongoing malware campaign, named HIDDEN COBRA, that started in 2017 with the infamous WannaCry ransomware attack that hit thousands of computers worldwide.

Apart from Hoplight and WannaCry, CISA attributes several other types of malware to the HIDDEN COBRA hackers, including FallChill, HardRain, BankShot, BadCall and ElectricFish.