Posted on May 13, 2019 at 5:39 PM
Both the Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI) have uncovered a new strain of malware that they believe is being used in a new wave of North Korean cyber attacks. The joint advisory warning that the two federal agencies released state that it was discovered while the agencies were tracking what the hacking group Hidden Cobra were doing.
Hidden Cobra, also known as Lazarus Group, is believed to be a hacking group that is supported by the nation-state of North Korea. The group is best known for its attacks on financial institutions, critical industrial networks, and research groups that house valuable intellectual property.
ElectricFish saw through a single Windows EXE
The agencies say that they were able to identify and find ElectricFish through only one, 32-bit Windows executable. They went on to say that after having reverse engineered the sample exe file, they were able to conclude that the malware actually contained a custom protocol that allows an attacker to funnel traffic in between a source IP address and a destination IP address.
This is an ingenious way that hackers have been able to bypass secure proxy servers. ElectricFish is basically able to shift any traffic through proxies, and that allows it to reach outside of the victim’s network. The advisory puts it into better context:
“The malware can be configured with a proxy server/port and proxy username and password, this feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.”
There is a command line utility that begins an attempt at establishing a TCP session between source and destination IP addresses, and once successful it only then launches its own protocol. This allows it to push a good amount of traffic between the machines to lay the groundwork for further penetration.
The advisory adds that the authentication packet header that establishes the link is completely static with the exception of the bytes 0X2B6E that change every time a connection is trying to become established. This very subtle method allows the group controlling the malware to remain discreet. They are able to use this method to funnel information from a critical source’s machine secretly and at the same time, they are able to keep their activities under the radar so that their theft is not found out.
Agencies working to increase overall cybersecurity effectiveness
The advisory was published so that others were able to keep their networks and system as safe as possible. The only way to combat such malware to make it public so that as many cybersecurity professionals as possible were aware of the threat. They have also included an IOC (Indicators of Compromise) for ElectricFish, which can be found here.
This is just the latest in a string of advisories by federal agencies with the previous advisory having to with another North Korean toll called Hoplight. Hoplight is also a malware that was made by Hidden Cobra and it is a backdoor that sends information from the victims’ machine to a C2 (command and control) server. It is a particularly nasty backdoor that is able to change registry settings on an infected computer. In addition to that Hoplight can open and close processes and download files on an infected system.
US federal government agencies have been tracking Hidden Cobra since the massive outbreak of the WannaCry ransomware epidemic. That outbreak was also believed to be the work of North Korean hackers, and many int he infosec community believe that it originated with Hidden Cobra.
The openness that these agencies are showing with publishing this as soon as possible is a far cry from earlier days when government agencies did not take part in the cybersecurity community in this way.