North Korea’s Latest: ELECTRICFISH

Author: Cedric Ecran

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) have released a malware analysis report highlighting a new malware threat named ELECTRICFISH. What is ELECTRICFISH? Straight out of North Korea’s Hidden Cobra, also known as Lazarus Group or Guardians of Peace (who brought you WannaCry ransomware 2017), government-sponsored hacking organization comes the latest and greatest in traffic tunneling technology now with added proxy Ip addresses, port, username, and password to get around those pesky network authorizations.

The malware has been identified in the form of a malicious Windows executable featuring command line arguments whereby it will be configured with a destination IP address, source IP address and if needed the proxy settings as listed above in order to communicate with the proxy server enabling network access outside of the targets network. The malware seeks to establish TCP connections between the source and destination IP addresses, once connected a custom protocol is implemented in order to allow the malware to have data run between the two now connected machines. The main selling point, however, is the addition of the proxy that the malware can use to authenticate to still reach the destination Ip address.

“After the malware authenticates with the configured proxy, it will immediately attempt to establish a session with the destination IP address, located outside of the target network and the source IP address. The header of the initial authentication packet, sent to both the source and destination systems, will be static except for two random bytes. Everything within this 34-byte header is static except for the bytes 0X2B6E, which will change during each connection attempt.”

This two-byte difference in every connection attempt makes this particular tunneling malware hard to detect and easy to go unnoticed therefore increasing the chances of successfully recovering a substantial amount of data from the target computer. The question now is how many computers have already been infected with North Korea’s latest and greatest and what damage has it already inflicted?

Original MAR: https://www.us-cert.gov/ncas/analysis-reports/AR19-129A