North Korean Hackers Using ELECTRICFISH Tunnels to Exfiltrate Data

November 21, 2019
electricfish trojan malware

Executive Summary

Two days ago (9th May), a Joint effort between Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) published a Malware Analysis Report (MAR) about a Trojan malware variant known as ELECTRICFISH. A North Korean based malicious actor known as HIDDEN COBRA is known to have utilized this malware. The targets of interest for ELECTRICFISH are unknown, but past attacks against these institute media, aerospace, and financial industries, as well as other critical infrastructure industries may have linked HIDDEN COBRA.


ELECTRICFISH is a 32-bit Windows executable application and command-line utility that funnels network traffic between an infected client and the actor’s server. The application initially establishes a TCP session between the client and server and then uses a custom protocol to exchange data. It is also equipped with extra features to work with a proxy server that intercepts requests between client and server without proper validation. The malware can be configured with a proxy username and password that allows the actor to authenticate the client sitting behind a proxy server, and to communicate with a server outside the target’s network.

Prevention and Mitigation

Recommended techniques will have to be implemented solely for similar case; however some would have been used for general type of attacks.To put emphasis it is crucial to review system configuration changes with system owners and administrators before implementing them because users may face unwanted effects that can damage their business.

  • As prerequisite AV should have latest signatures, engines and retain latest updated version.
  • Have the latest OS path and update.
  • When necessary open file and printer sharing services. If these services are required, use strong passwords or AD authentication.
  • Unprivileged uses should have no permission to install and run unwanted software applications.
  • Apply a strong password policy and implement regular password changes.
  • End-users should exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Users should have limited browsing access as much as possible limit it to work related intranet sites.
  • Users workstation should have no access to removable media (USB thumb drives, external drives, CDs, etc.)When needed acquire authorization from IT dept.
  • Maintain situation awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
About the author

Leave a Reply