---

SafeBreach Labs has updated the Hacker’s Playbook™ with new simulations for attacks described in US-CERT Alert (AR19-100A) which describes a new malware, “HOPLIGHT” associated with North Korean (aka. “HIDDEN COBRA”).

This alert provides an analysis of nine malicious executable files, seven of which are proxy applications that mask traffic between the malware and the remote operators. These seven proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors.

Another remaining executable file contains a public SSL certificate. The payload of this file appears to be encoded with a password or key.

The final executable file attempts outbound connections and drops files.

These common attacks have appeared in healthcare, finance, government, and defense industries. Their widespread availability presents a challenge for network defenses and threat-actor attribution. SafeBreach recommends all industries and businesses simulate the tools described in this alert to identify whether or not they are protected against these attacks.

To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls available now:

Newly developed playbook methods related to AR19-100A

Playbook # 2252 – Write Trojan-Hoplight malware to disk

• Endpoint Controls – Are security controls or hardening in place to prevent saving the malicious files to local disk?

Playbook # 2253 – Transfer of Trojan-Hoplight malware over HTTP/S (Lateral Movement)

• Network Controls – Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 2254 – Transfer of Trojan-Hoplight malware over HTTP/S (Infiltration)

• Network Controls – Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 2255 – Email Trojan-Hoplight malware as a ZIP attachment (Lateral Movement)

• Email Controls – Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 2256 – Email Trojan-Hoplight malware as a ZIP attachment (Infiltration)

• Email Controls – Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 2257 – Write Trojan-Hoplight (rdpproto) malware to disk

• Endpoint Controls – Are security controls or hardening in place to prevent saving the malicious files to local disk?

Playbook # 2258 – Transfer of Trojan-Hoplight (rdpproto) malware over HTTP/S (Lateral Movement)

• Network Controls – Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 2259 – Transfer of Trojan-Hoplight (rdpproto) malware over HTTP/S (Infiltration)

• Network Controls – Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 2260 – Email Trojan-Hoplight (rdpproto) malware as a ZIP attachment (Lateral Movement)

• Email Controls – Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 2261 – Email Trojan-Hoplight (rdpproto) malware as a ZIP attachment (Infiltration)

• Email Controls – Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Existing playbook methods related to AR19-100A

Playbook # 2246 – Hooking of GetSystemTime function (T1179)

• Endpoint Controls – Are security controls or hardening in place to prevent the function hooking used in this attack??

Playbook # 904 – Start Secondary Logon Service

• Endpoint Controls – Are security controls or hardening in place to prevent enabling secondary logon service used in this attack?

Playbook # 2155 – Transfer of Text File over HTTP/S using Tor

• Endpoint Controls – Are security controls or hardening in place to prevent using Tor as used in this attack?

Playbook # 794 – Run Mimikatz

• Endpoint Controls – Are security controls or hardening in place to prevent credentials gathering used in this attack?

Playbook # 1614 – Collect Network Credentials using NetPass tool

• Endpoint Controls – Are security controls or hardening in place to prevent credentials gathering used in this attack?