Hangro: Investigating North Korean VPN Infrastructure Part 2
Contents
If you haven’t seen part 1, it provides an overview of the service as well as the domains and IPs supporting the infrastructure.
Continuing my analysis of the Hangro VPN IPs and service I started querying the IPs directly as well as started taking some first steps towards reversing an older sample of the Hangro VPN client. Using OpenSSL as well as a few other tools provided some additional details on how the VPN functions. This post dives further into how the Hangro client authenticates, as well as some recent sightings of Hangro in the wild.
Handshake Failures
Across the four IPs 175.45.176.21, 175.45.176.22, 188.43.136.115, and 188.43.136.116 they all share a common certificate on port 7443. For the sake of brevity I’ve posted a few snippets throughout the post, the full certificate will be available at the end. Querying these IPs directly resulted in a handshake failure.
# openssl s_client -connect 175.45.176.21:7443 -tls1_2
CONNECTED(00000003)
Can't use …
Continuing my analysis of the Hangro VPN IPs and service I started querying the IPs directly as well as started taking some first steps towards reversing an older sample of the Hangro VPN client. Using OpenSSL as well as a few other tools provided some additional details on how the VPN functions. This post dives further into how the Hangro client authenticates, as well as some recent sightings of Hangro in the wild.
Handshake Failures
Across the four IPs 175.45.176.21, 175.45.176.22, 188.43.136.115, and 188.43.136.116 they all share a common certificate on port 7443. For the sake of brevity I’ve posted a few snippets throughout the post, the full certificate will be available at the end. Querying these IPs directly resulted in a handshake failure.
# openssl s_client -connect 175.45.176.21:7443 -tls1_2
CONNECTED(00000003)
Can't use …
IoC
https://ps.ppokongui.com
175.45.176.22
5.7.3.1
188.43.136.116
175.45.176.21
5.7.3.2
188.43.136.115
[email protected]
175.45.176.22
5.7.3.1
188.43.136.116
175.45.176.21
5.7.3.2
188.43.136.115
[email protected]