North Korean Hackers Use ELECTRICFISH Malware to Steal Data. The Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security (DHS) have issued a joint malware analysis report (MAR) on a malware strain dubbed ELECTRICFISH and used by the North-Korean APT group Lazarus to ex-filtrate data from victims.
According to the MAR AR19-129A advisory released on US-CERT’s website, the malware was detected while tracking the malicious activities of the North Korean-backed hacking group HIDDEN COBRA (also known by security experts as Lazarus, Guardians of Peace, ZINC, and NICKEL ACADEMY).
The MAR-10135536-21 malware analysis report was issued “to enable network defense and reduce exposure to North Korean government malicious cyber activity.”
As further detailed in the ELECTRICFISH advisory North Korean Hackers Use ELECTRICFISH Malware to Steal Data:
This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
The report published on the US-CERT website comes with a detailed analysis of one malicious 32-bit executable file found to be infected with Lazarus’ ELECTRICFISH malware.
The malware “implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.”
North Korean Hackers Use ELECTRICFISH Malware to Steal Data
Because the malware can be configured by the Lazarus group attackers “with a proxy server/port and proxy username and password,” it makes it possible to connect “to a system sitting inside of a proxy server” and thus circumventing the infected system’s authentication.
@CISAgov & the @FBI released information today on North Korean malware known as ELECTRICFISH. This malware analysis report contains instructions on how to report incidents, request resources, and mitigate risks.
— Cybersecurity (@cyber) May 9, 2019
After bypassing the configured authentication measures on the compromised machine, ELECTRICFISH will “establish a session with the destination IP address, located outside of the target network and the source IP address.”
Once a connection is established between a source IP address and a destination IP address, North Korean Hackers Use ELECTRICFISH Malware to Steal Data. The ELECTRICFISH malware can funnel Internet traffic between the two machines allowing the malicious actors to funnel the information collected from compromised computers to servers that they control.
— US-CERT (@USCERT_gov) May 9, 2019
Malware analysis reports are issued by the DHS via US-CERT to “provide organizations with more detailed malware analysis acquired via manual reverse engineering.”
How to avoid infection
Aside from keeping their antivirus signatures up-to-date, the advisory recommends:
- patching operating systems and restricting permissions to install and run unwanted software;
- thinking twice before opening email attachments, and be cautious when using removable media;
- admins should disable file- and printer-sharing services or at least use strong passwords or Active Directory authentication if leaving them on.