North Korea debuts new Electricfish malware in Hidden Cobra campaigns

The tool is used to forge covert pathways out of infected Windows PCs.
Written by Charlie Osborne, Contributing Writer

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a joint security advisory warning of a new strain of malware being used in North Korean cyberattacks.

Dubbed Electricfish, the malware was uncovered while the departments were tracking the activities of Hidden Cobra, a threat group believed to be state-sponsored and backed by the North Korean government.

Also known as the Lazarus group, Hidden Cobra has been connected to a variety of attacks against financial institutions, critical industrial players, and targets chosen for valuable intellectual property worldwide.

The description of Electricfish is based on one malicious 32-bit Windows executable. After reverse engineering the sample, the malware was found to contain a custom protocol which permits traffic to be funneled between source and destination IP addresses.

Electricfish is, therefore, able to shift traffic through proxies by the attackers to reach outside of a victim network.

"The malware can be configured with a proxy server/port and proxy username and password," the advisory reads. "This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system's required authentication to reach outside of the network."

The command-line utility attempts to establish TCP sessions with the source IP address and the destination IP. If a connection attempt is successful, the utility will launch its custom protocol, leading to the quick push of traffic between two machines.

CNET: You deleted your Alexa voice recordings, but the text records are still there

"The header of the initial authentication packet, sent to both the source and destination systems, will be static except for two random bytes," the advisory says. "Everything within this 34-byte header is static except for the bytes 0X2B6E, which will change during each connection attempt."

Such a tool can be used by threat actors to covertly funnel out information stolen from a victim's machine, as well as to bolster attempts to remain under the radar and to keep the theft undetected.

The DHS and FBI said the advisory was published "to enable network defense and reduce exposure to North Korean government malicious cyber activity." 

TechRepublic: Cybersecurity burnout: 10 most stressful parts of the job

This is one of many recent advisories relating to alleged North Korean cyberattackers. In April, the US government sent out a warning concerning Hoplight, another strain of malware used by Hidden Cobra.

Hoplight is a backdoor which siphons data from a victim machine and sends this information to an attacker's command-and-control (C2) server. The malware is also capable of modifying registry settings, both creating and killing processes, and downloading files, among other features.

See also: Hackers attack Confluence Servers, hijack power for cryptocurrency mining

US government advisories for Hidden Cobra have been issued since 2017 with the emergence of the global WannaCry ransomware outbreak, which was believed to be the work of North Korean hackers.

A list of Indicators of Compromise (IOC) for Electricfish can be downloaded here

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards