A warning released by the U.S. Computer Emergency Readiness Team on Thursday does not indicate if any organizations have sustained an attack from Hidden Cobra, also known as the Lazarus Group, using the Electricfish malware. Because investigators were able to reverse-engineer some of the code, however, there’s a possibility it is operating in the wild and has been used in some way by the group.
The FBI and the Department of Homeland Security have issued a joint warning about new malware called “Electricfish.” Investigators suspect it was developed by the advanced persistent threat group Hidden Cobra, which has been linked to North Korea.
This is the second time within a month that U.S. authorities have warned about new cyberattacks stemming from Hidden Cobra, which has been linked to the WannaCry ransomware attacks of 2017 as well as the Sony Pictures breach of 2014.
In April, CERT warned of Hidden Cobra using a new Trojan called Hoplight that can disguise the network traffic it sends back to its originators, making it more difficult for security companies and law enforcement officials to track its movements. Over the last two years, CERT has issued 17 warnings about cyberattacks tied to North Korea, starting with the initial WannaCry alert.
The primary purpose of Electricfish is to secretly funnel traffic between two IP addresses using a custom protocol, allowing the attackers to steal data and avoid detection.
This type of “hidden tunnel” between two IP address is sometimes used in legitimate business applications, but attacks can use this method for data exfiltration, says the head of security analytics at a San Jose California-based threat detection and response firm.
The analysis of the Electricfish malware is based on one 32-bit Windows executable file that contains the custom protocol that allows network traffic to be funneled between a source IP address and a destination address, according to CERT.
Through reverse-engineering, federal investigators found that the malware continuously attempts to reach out to both the source and destination systems. By doing this, it allows the attackers on either side to start a funneling session. Electricfish can also be configured with a proxy server or port as well as a proxy username and password, the analysis found.
As with other warnings from CERT, the FBI and DHS are urging organizations to take some precautions to prevent an attack. These include:
- Maintain up-to-date anti-virus signatures and engines and keep operating system patches current;
- Disable file and printer sharing services when possible; use strong passwords or Active Directory for authentication;
- Restrict users from installing and running unauthorized software;
- Disable unnecessary services and software as well as workstations and servers;
- Scan and remove suspicious email attachments, and ensure that attachments are “true file types” – the extension matches the file header.
