The dangers of ELECTRICFISH, a tunneling tool used for traffic funneling and data exfiltration by the North Korea government hacking group Hidden Cobra are explained in a new Malware Analysis Report (MAR) jointly issued by the US FBI and Department Homeland Security.
ELECTRICFISH is attributed to North Korea.
The 32-bit Windows executable file is a command-line utility that establishes a connection between a source IP address and destination IP address and implements a custom protocol, allowing the APT group (also known as Lazarus) to move traffic and data rapidly between an infected machine and their own network.
Additionally, the MAR continues, "The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network."
The report offers multiple recommendations from DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to help protect against this and other threats.
This article was originally published on SC Media US.