A new malware variant named Electricfish has been found to be used by the North Korean APT hacking group Hidden Cobra. The U.S. Department of Homeland Security (DHS) and the FBI have issued an alert regarding this malware which has been used actively in the wild. This malware is being used for secretly tunneling traffic out of compromised computer systems.
Hidden Cobra, also known by the names Lazarus Group and Guardians of Peace, is believed to be backed by North Korean government and known to launch cyber-attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world.
The malware implements a custom protocol configured with a proxy server and proxy username and password, that permits the hackers to bypass the authentication needed for the compromised systems to reach outside of the network.
The ElectricFish malware is a command-line utility and its main aim is to quickly channel traffic between two IP addresses.
According to the alert issued the malware will try to establish TCP sessions with the source IP address and the destination IP address. When a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, that allows the traffic to rapidly be funneled between two machines. The malware can also authenticate with a proxy to reach the destination IP address. A configured proxy server is not necessary for this utility.
The DHS and the FBI have jointly issued the alert to enable network defense and reduce exposure to North Korean government malicious cyber activity.
The hacking group was earlier associated with the 2017 WannaCry ransomware, the 2014 Sony Pictures hack, and the SWIFT Banking attack in 2016.