The Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security (DHS) have issued a joint malware analysis report (MAR) on a malware strain dubbed ELECTRICFISH and used by the North-Korean APT group Lazarus to exfiltrate data from victims.
According to the MAR AR19-129A advisory released on US-CERT’s website, the malware was detected while tracking the malicious activities of the North Korean-backed hacking group HIDDEN COBRA (also known by security experts as Lazarus, Guardians of Peace, ZINC, and NICKEL ACADEMY).
The MAR-10135536-21 malware analysis report was issued “to enable network defense and reduce exposure to North Korean government malicious cyber activity.”
As further detailed in the ELECTRICFISH advisory:
This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
The report published on the US-CERT website comes with a detailed analysis of one malicious 32-bit executable file found to be infected with Lazarus’ ELECTRICFISH malware.
The malware “implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.”
Because the malware can be configured by the Lazarus group attackers “with a proxy server/port and proxy username and password,” it makes it possible to connect “to a system sitting inside of a proxy server” and thus circumventing the infected system’s authentication.[..]
To read the original article: