North Korea debuts new Electricfish malware in Hidden Cobra campaigns
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a joint security advisory warning of a new strain of malware being used in North Korean cyberattacks.
Dubbed Electricfish, the malware was uncovered while the departments were tracking the activities of Hidden Cobra, a threat group believed to be state-sponsored and backed by the North Korean government.
Also known as the Lazarus group, Hidden Cobra has been connected to a variety of attacks against financial institutions, critical industrial players, and targets chosen for valuable intellectual property worldwide.
The description of Electricfish is based on one malicious 32-bit Windows executable. After reverse engineering the sample, the malware was found to contain a custom protocol which permits traffic to be funneled between source and destination IP addresses.
Electricfish is, therefore, able to shift traffic through proxies by the attackers to reach outside of a victim network.
“The malware can be configured with a proxy server/port and proxy username and password,” the advisory reads. “This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.”
The command-line utility attempts to establish TCP sessions with the source IP address and the destination IP. If a connection attempt is successful, the utility will launch its custom protocol, leading to the quick push of traffic between two machines.
CNET: You deleted your Alexa voice recordings, but the text records are still there
“The header of the initial authentication packet, sent to both the source and destination systems, will be static except for two random bytes,” the advisory says. “Everything within this 34-byte header is static except for the bytes 0X2B6E, which will change during each connection attempt.”
Such a tool can be used by threat actors to covertly funnel out information stolen from a victim’s machine, as well as to bolster attempts to remain under the radar and to keep the theft undetected.
The DHS and FBI said the advisory was published “to enable network defense and reduce exposure to North Korean government malicious cyber activity.”
TechRepublic: Cybersecurity burnout: 10 most stressful parts of the job
This is one of many recent advisories relating to alleged North Korean cyberattackers. In April, the US government sent out a warning concerning Hoplight, another strain of malware used by Hidden Cobra.
Hoplight is a backdoor which siphons data from a victim machine and sends this information to an attacker’s command-and-control (C2) server. The malware is also capable of modifying registry settings, both creating and killing processes, and downloading files, among other features.
See also: Hackers attack Confluence Servers, hijack power for cryptocurrency mining
US government advisories for Hidden Cobra have been issued since 2017 with the emergence of the global WannaCry ransomware outbreak, which was believed to be the work of North Korean hackers.
A list of Indicators of Compromise (IOC) for Electricfish can be downloaded here.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
My Dad was a Creative Director all his life. I spent my youth working in the agency, and the apple didn’t fall far from the tree. All those experiences made me into a thinker, dreamer and doer that specializes in integrated branding, marketing, digital and public relations services. I feel my key value to clients is the ability to turn creative concepts into analytically driven marketing plans and tools with greater stopping power & relevance, leading to greater results.
Recommended Posts
5 Ways to Grow Your New Website Traffic
October 10, 2021
Social media advertising is getting harder; Monday’s daily brief
September 27, 2021
