The FBI and DHS have posted another alert about a new piece of malware used by the North Korean government hacking crew Hidden Cobra, also known as Lazarus. This time it’s a tool for secretly tunneling traffic out of infected Windows systems.
Dubbed Electric Fish, the malicious Win32 executable is a command line tool that implements a custom protocol for quickly funneling traffic between two IP addresses, according to DHS’ writeup by US CERT.
The design allows the user of Electricfish to configure a destination IP address and port outside the target’s network, a source IP address and port within the target’s network, as well as a proxy IP address and port.
The proxy has a user name and password for authenticating to the proxy server, which is used for bypassing an infected system’s authentication to reach outside of the target network.
“It will attempt to establish TCP sessions with the source IP address and the destination IP address,” US-CERT notes.
“If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be funneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.”
Once the malware has authenticated with the configured proxy, it attempts to establish a session with the destination IP address. The attack would use command prompts to specify the source and destination for tunneling traffic.
The report doesn't state whether US organizations have been infected with this malware previously. Though US-CERT notes it published the report to help organizations improve network defense and reduce expose to North Korean government's cyber activity.
Electricfish is US-CERT’s 16th report on Hidden Cobra's -- also known as Lazarus -- malware activities since its May 2017 writeup of the global WannaCry attack, which crippled parts of the UK's National Health Service. The US, UK and Australia accused North Korea of developing and deploying WannaCry.
In April it drew attention to a Hidden Cobra trojan called Hoplight, which collected system information and was used to load toolkits for harvesting user credentials and passwords.
In October last year, it detailed malware called FastCash that was used to target payment switch application servers in banks in Africa and Asia to conduct fraudulent transactions. The scheme was used to fraudulently take cash out out of ATMs. It was estimated the group stole tens of millions of dollars with the FastCash scheme and malware that Symantec subsequently identified. The group was also accused of