Feds hook ELECTRICFISH, new Windows malware from North Korea

The FBI and Department of Homeland Security have identified (Malware Analysis Report AR19-129A) a new strain of malware from North Korea, the latest in a long line of cyber attacks from the country.

The Windows malware, dubbed ELECTRICFISH, sets up a tunnel between a machine on the victim’s network and the attacker’s system, enabling the attacker to receive network traffic from the victim.

Once it has a foothold, it then tries to connect to a source IP address within the victim’s network, and a destination address owned by the attacker. The attacker can also configure a proxy to act as an intermediary between the infected computer and the destination IP, avoiding the need for authentication to get outside the victim’s network. The US CERT advisory says:

If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be funneled between two machines.

How to avoid infection

Aside from keeping their antivirus signatures up-to-date, the advisory recommends:

  • patching operating systems and restricting permissions to install and run unwanted software;
  • thinking twice before opening email attachments, and be cautious when using removable media;
  • admins should disable file- and printer-sharing services or at least use strong passwords or Active Directory authentication if leaving them on.

HIDDEN COBRA

This isn’t the first advisory that the DHS has issued concerning North Korean hackers. It has a whole codename dedicated to the country’s online shenanigans: HIDDEN COBRA. The most recent advisory it issued before this one was on 10 April, 2019. It was a malicious executable file that collected information about the victim’s machine and sent it back to the attacker’s IP addresses.

MITRE associates HIDDEN COBRA with other names that have surfaced in the press in relation to North Korea: the Lazarus Group, Guardians of Peace, ZINC and NICKEL ACADEMY.

The group, active since at least 2009, has been blamed for the 2014 attack against Sony Pictures Entertainment, and for the WannaCry ransomware.

The list of DHS advisories on North Korea includes reports of remote administration tools (RATs), Trojans, worms, and DDoS botnets.