The FBI and Department Homeland Security have jointly issued a new Malware Analysis Report (MAR) warning of the dangers of ELECTRICFISH, a tunneling tool used for traffic funneling and data exfiltration by the North Korea government hacking group Hidden Cobra.
The 32-bit Windows executable file is a command-line utility that establishes a connection between a source IP address and destination IP address and implements a custom protocol, allowing the APT group (also known as Lazarus) to move traffic and data rapidly between an infected machine and their own network.
Additionally, the MAR continues, “The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.”
The report offers multiple recommendations from DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to help protect against this and other threats.