Warning Issued over Electricfish Malware used by North Korea-Backed Threat Group Hidden Cobra

US-CERT has issued a warning about a new malware variant dubbed Electricfish, which is reportedly being used by the North Korea-backed threat group Hidden Cobra, aka Lazarus.

The malware is packaged as a Windows 32-bit executable file and establishes a custom protocol that allows traffic to be funneled between two IP addresses. The malware continuously attempts to contact the source and the designation system, which allows both sides to establish a new funneling session.

The malware can be configured with a proxy server/port and proxy username and password, which allows connectivity to a system located inside a proxy server. This allows the threat actor to bypass authentication on a compromised system to reach outside the network.

The malware is a command-line utility that establishes TCP sessions with the source IP address and the destination IP address. If a connection attempt succeeds, the custom protocol will be launched and a funneling session will be established. The threat actors can move traffic between different proxies to reach outside the target’s network and send sensitive information from a compromised machine to servers controlled by the threat group, while remaining under the radar.

Hidden Cobra is known for conducting attacks on financial institutions and high value industrial targets with the aim of stealing intellectual property. While the latest malware variant is new, two similar malware samples have been detected which have been previously been used in attacks on financial institutions and critical infrastructure in Vietnam, according to VNCERT. These malware variants are mostly not being detected as malicious by AV engines on VirusTotal.

The latest alert is one of several to be issued by US-CERT in relation to the activity of Hidden Cobra. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have been tracking the activity of the threat group since 2016 and have been attempting to identify tactics and disrupt its operations.

The DHS and the FBI joint malware analysis report, which includes IOCs, can be downloaded here.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news