North Korea debuts new Electricfish malware in Hidden Cobra campaigns

[silversurfer]

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a joint security advisory warning of a new strain of malware being used in North Korean cyberattacks.
 
Dubbed Electricfish, the malware was uncovered while the departments were tracking the activities of Hidden Cobra, a threat group believed to be state-sponsored and backed by the North Korean government.

Also known as the Lazarus group, Hidden Cobra has been connected to a variety of attacks against financial institutions, critical industrial players, and targets chosen for valuable intellectual property worldwide.
 
The description of Electricfish is based on one malicious 32-bit Windows executable. After reverse engineering the sample, the malware was found to contain a custom protocol which permits traffic to be funneled between source and destination IP addresses. Electricfish is, therefore, able to shift traffic through proxies by the attackers to reach outside of a victim network.

"The malware can be configured with a proxy server/port and proxy username and password," the advisory reads. "This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system's required authentication to reach outside of the network."

SOURCE: https://www.zdnet.com/article/north-kore...campaigns/