The U.S. Department of Homeland Security and FBI have jointly released an official Malware Analysis Report detailing several variants of HOPLIGHT, a trojan malware program used by hackers from Hidden Cobra, an APT group that's been widely linked to the North Korean government.
Upon execution, HOPLIGHT allows attackers to collect victim machine information, connect to a remote host, and manipulate various files, processes and services.
The report looks at nine separate files, seven of which are proxy applications that, according to the agencies, "generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors." An eighth file contains a public SSL certificate and an encoded payload, while the final file attempts outbound connections and drops four files that contain IP addresses and SSL certificates.
The report also shares a downloadable list of indicators of compromise.