It asks to open a link to revise an agreement. It lands to a website that simulates the victim’s organization homepage, in which the user has only to digit the password.
US CISA, FBI and DoD: North Korea hit targets with a trojan variant, referred to as HOPLIGHT. The HIDDEN COBRA malware collects system information about the victim machine including OS Version, Volume Information and System Time
A Trojan variant, referred to as HOPLIGHT, is used by the North Korean government to hit targets worldwide in framework of HIDDEN COBRA activity. It has been identified by the Cyber Security and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). This malware is a malicious 32-bit Windows executable. When executed, it will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions. The Pyongyang malicious code is capable of Read, Write, and Move Files, Enumerate System Drives, Create and Terminate Processes, Inject into Running Processes, Create, Start and Stop Services, Modify Registry Settings, Connect to a Remote Host, and Upload and Download Files.
The cyber security experts: HOPLIGHT family trojan has 2 versions: Both malware are nearly identical in functionality but use slightly different command codes
According to the cyber security experts, the HOPLIGHT family has 2 versions. Both are nearly identical in functionality but use slightly different command codes. So if the opcode for Keepalive in version 1 is 0xB6C1, the opcode in version 2 will be 0xB6C2. When executed, the North Korea’s malware will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the code. These IP addresses are referenced in ‘udbcgiut.dat’ below. The malware also contains an embedded Zlib compression library that appears to further obfuscate the communications payload. After the TLS authentication is completed this particular malware does NOT use the session key that is generated via TLS. It uses a custom Linear Feedback Shift Register (LFSR) encryption scheme to encrypt all communications after the completion of the handshake.