U.S. Cyber Command posted the code to the recently discovered tunneling malware called Electric Fish to VirustTotal.
The move is part of Cyber Command’s on-going effort fight nation-state cyberattacks. The U.S. government specifically believes Electric Fish, which was first uncovered in May 2019, was developed by the North Korean government to steal money.
Electric Fish is described by US CERT as, “A command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.”