North Korea debuts new Electricfish malware in Hidden Cobra campaigns

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a joint security advisory warning of a new strain of malware being used in North Korean cyberattacks.

Dubbed Electricfish, the malware was uncovered while the departments were tracking the activities of Hidden Cobra, a threat group believed to be state-sponsored and backed by the North Korean government.

Also known as the Lazarus group, Hidden Cobra has been connected to a variety of attacks against financial institutions, critical industrial players, and targets chosen for valuable intellectual property worldwide.

The description of Electricfish is based on one malicious 32-bit Windows executable. After reverse engineering the sample, the malware was found to contain a custom protocol which permits traffic to be funneled between source and destination IP addresses.

Electricfish is, therefore, able to shift traffic through proxies by the attackers to reach outside of a victim network.

“The malware can be configured with a proxy server/port and proxy username and password,” the advisory reads. “This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.”

The command-line utility attempts to establish TCP sessions with the source IP address and the destination IP. If a connection attempt is successful, the utility will launch its custom protocol, leading to the quick push of traffic between two machines.

CNET: You deleted your Alexa voice recordings, but the text records are still there

“The header of the initial authentication packet, sent to both the source and destination systems, will be static except for two random bytes,” the advisory says. “Everything within this 34-byte header is static except for the bytes 0X2B6E, which will change during each connection attempt.”

Such a tool can be used by threat actors to covertly funnel out information stolen from a victim’s machine, as well as to bolster attempts to remain under the radar and to keep the theft undetected.

The DHS and FBI said the advisory was published “to enable network defense and reduce exposure to North Korean government malicious cyber activity.”

TechRepublic: Cybersecurity burnout: 10 most stressful parts of the job

This is one of many recent advisories relating to alleged North Korean cyberattackers. In April, the US government sent out a warning concerning Hoplight, another strain of malware used by Hidden Cobra.

Hoplight is a backdoor which siphons data from a victim machine and sends this information to an attacker’s command-and-control (C2) server. The malware is also capable of modifying registry settings, both creating and killing processes, and downloading files, among other features.

See also: Hackers attack Confluence Servers, hijack power for cryptocurrency mining

US government advisories for Hidden Cobra have been issued since 2017 with the emergence of the global WannaCry ransomware outbreak, which was believed to be the work of North Korean hackers.

A list of Indicators of Compromise (IOC) for Electricfish can be downloaded here.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


RECOMMENDED POSTS

Find Out More

Marketing Tips You Need

Keep In Touch

Quick Subscribe

Client Reviews Tell The Tale.

Jillissa CooperOctober 31, 2024
Paul GrewSeptember 25, 2024
Nicole NoblesApril 18, 2024
Dan was a delight to work with. I needed a few headshots taken for my LinkedIn profile and Dan provided the easiest and most comfortable experience using state-of-the art equipment in a very professional setting. Also, the turn-around time on results was quick and I felt completely engaged and satisfied during the entire process. I highly recommend his services.Donny RitcharoenDecember 19, 2023
I got headshots taken and they turned out so well! The lighting was amazing.Tessa ChanMay 30, 2023
We used Appture to build a lodging website, and they were awesome! Dan went above and beyond to show us the functions and make all of our changes. Appture is our go to for web design from now on!Abigail HaleOctober 26, 2022
Appture knows their business and will go the extra mile for their customers. They do high quality work and provide great ongoing support.Chris McCorkindaleMay 24, 2022
Anita CauthornMay 24, 2022
It’s so rare in these times to find one man with so much wow factor and more rare to find men with similar interest and passion in their life journey as myself . Dan Elliott has been introduced to many in what is now considered as the Terror Dome , a place where many dreams are not deferred they are detoured to routes that lead to dead ends , he comes in full of optimism so infectious that he, maybe with out knowing is energizing those who have ventured where others would fear going with just the right jolt to forge on in the way of helping fallen humanity … His various fields of expertise has helped many in my region and I can only imagine the number he has effected beyond those I know … from day one I knew “ this was a man of kindred spirit “ Dan Elliott is a Gem and adds glimmer to things he touches … I’m a Witness ….and eternally grateful….L.Rashaan RichMay 21, 2022
Dan and his group are highly capable and knowledgeable. They work fast and get the job done. I highly recommend Appture.Justin FrankMarch 26, 2022
They are highly specialized in their work and constantly seek innovation.Ismail YenigulMarch 14, 2022
Dan is a marketing wizard. Honest, Experienced and a read deal. I am blessed to have him in my journey online :) Highly recommended.Sabbir HasanMarch 7, 2022
So much to say. Creative, Intelligent, Talented, Limitless, Affordable. It's amazing what these guys can do.Hack mackMay 17, 2019
We'd used some other agencies before, but man, they simply knocked us all over. After being in business for 30 years, I wonder how much more business we'd be doing if we'd hired them earlier.Rebecca HoneaMay 17, 2019