SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hoplight (Back to overview)

HOPLIGHT

aka: HANGMAN

Actor(s): Lazarus Group

There is no description at this point.

References
2020-02-25SentinelOneJim Walter
@online{walter:20200225:dprk:735f095, author = {Jim Walter}, title = {{DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity}}, date = {2020-02-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/}, language = {English}, urldate = {2020-02-27} } DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity
ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:fd008a7, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045G): MAR-10135536-8.v4 - North Korean Trojan: HOPLIGHT}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045g}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045G): MAR-10135536-8.v4 - North Korean Trojan: HOPLIGHT
HOPLIGHT
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2019-10-31CISACISA
@online{cisa:20191031:malware:4eccc2d, author = {CISA}, title = {{Malware Analysis Report (AR19-304A)}}, date = {2019-10-31}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-304a}, language = {English}, urldate = {2020-01-09} } Malware Analysis Report (AR19-304A)
HOPLIGHT
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-04-11Computing.co.ukDev Kundaliya
@online{kundaliya:20190411:lazarus:2ad8687, author = {Dev Kundaliya}, title = {{Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea}}, date = {2019-04-11}, organization = {Computing.co.uk}, url = {https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea}, language = {English}, urldate = {2020-01-06} } Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea
HOPLIGHT
2019-04-10US-CERTUS-CERT
@online{uscert:20190410:malware:4946afa, author = {US-CERT}, title = {{Malware Analysis Report (AR19-100A): North Korean Trojan: HOPLIGHT}}, date = {2019-04-10}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-100A}, language = {English}, urldate = {2020-01-09} } Malware Analysis Report (AR19-100A): North Korean Trojan: HOPLIGHT
HOPLIGHT
2017-08-14Palo Alto Networks Unit 42Anthony Kasza
@online{kasza:20170814:blockbuster:79266d5, author = {Anthony Kasza}, title = {{The Blockbuster Saga Continues}}, date = {2017-08-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/}, language = {English}, urldate = {2019-12-20} } The Blockbuster Saga Continues
HOPLIGHT
2015-09-10FireEyeGenwei Jiang, Josiah Kimble
@techreport{jiang:20150910:hangul:2e0fc13, author = {Genwei Jiang and Josiah Kimble}, title = {{Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors}}, date = {2015-09-10}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf}, language = {English}, urldate = {2020-01-13} } Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors
HOPLIGHT
Yara Rules
[TLP:WHITE] win_hoplight_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_hoplight_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4889842428050000 ebc1 83bc249005000004 750d c784244805000001000000 }
            // n = 5, score = 100
            //   4889842428050000     | mov                 dword ptr [esp + 0xbc], eax
            //   ebc1                 | test                eax, eax
            //   83bc249005000004     | jne                 0x68
            //   750d                 | cmp                 dword ptr [ebp - 0x24], edi
            //   c784244805000001000000     | je    0x68

        $sequence_1 = { 488bcb e8???????? 4885c0 7526 4883c708 66392f 75c7 }
            // n = 7, score = 100
            //   488bcb               | dec                 esp
            //   e8????????           |                     
            //   4885c0               | lea                 eax, [0xfffbd9c5]
            //   7526                 | dec                 eax
            //   4883c708             | mov                 dword ptr [esp + 0x528], eax
            //   66392f               | jmp                 0xffffffc3
            //   75c7                 | cmp                 dword ptr [esp + 0x590], 4

        $sequence_2 = { c745885d197618 c7458c6c156f29 6644896590 ba08000000 488d4d88 e8???????? }
            // n = 6, score = 100
            //   c745885d197618       | dec                 eax
            //   c7458c6c156f29       | lea                 ecx, [esp + 0x70]
            //   6644896590           | mov                 dword ptr [esp + 0x48], eax
            //   ba08000000           | cmp                 dword ptr [esp + 0x48], 0
            //   488d4d88             | mov                 dword ptr [ebp - 0x78], 0x1876195d
            //   e8????????           |                     

        $sequence_3 = { ba03000000 488d4c2470 e8???????? 89442448 837c244800 }
            // n = 5, score = 100
            //   ba03000000           | xor                 eax, dword ptr [edx + ecx*4]
            //   488d4c2470           | mov                 ecx, dword ptr [esp + 0x20]
            //   e8????????           |                     
            //   89442448             | shr                 ecx, 0x10
            //   837c244800           | mov                 edx, 3

        $sequence_4 = { 85c0 0f8478010000 8b8424bc000000 83f003 898424bc000000 }
            // n = 5, score = 100
            //   85c0                 | mov                 dword ptr [ebp - 0x74], 0x296f156c
            //   0f8478010000         | inc                 sp
            //   8b8424bc000000       | mov                 dword ptr [ebp - 0x70], esp
            //   83f003               | mov                 edx, 8
            //   898424bc000000       | dec                 eax

        $sequence_5 = { 85c0 7566 397ddc 7461 4c8d05c5d9fbff }
            // n = 5, score = 100
            //   85c0                 | lea                 ecx, [ebp - 0x78]
            //   7566                 | test                eax, eax
            //   397ddc               | je                  0x17e
            //   7461                 | mov                 eax, dword ptr [esp + 0xbc]
            //   4c8d05c5d9fbff       | xor                 eax, 3

        $sequence_6 = { 81e1ff000000 8bc9 488d159e780200 33048a 8b4c2420 c1e910 }
            // n = 6, score = 100
            //   81e1ff000000         | dec                 eax
            //   8bc9                 | mov                 ecx, dword ptr [esp + 0x80]
            //   488d159e780200       | and                 ecx, 0xff
            //   33048a               | mov                 ecx, ecx
            //   8b4c2420             | dec                 eax
            //   c1e910               | lea                 edx, [0x2789e]

        $sequence_7 = { 894110 488b842480000000 8b4014 0344240c 488b8c2480000000 }
            // n = 5, score = 100
            //   894110               | mov                 dword ptr [ecx + 0x10], eax
            //   488b842480000000     | dec                 eax
            //   8b4014               | mov                 eax, dword ptr [esp + 0x80]
            //   0344240c             | mov                 eax, dword ptr [eax + 0x14]
            //   488b8c2480000000     | add                 eax, dword ptr [esp + 0xc]

    condition:
        7 of them and filesize < 765952
}
Download all Yara Rules