DHS Releases Analysis of ELECTRICFISH Malware
In an attempt to reduce exposure and enable network security, the Department of Homeland Security (DHS) in collaboration with the Federal Bureau of Investigation (FBI) has released a report analyzing a North Korean traffic tunneling tool named ELECTRICFISH.
The DHS and FBI have identified a malware variant used by the North Korean government, yet another indication of the continued threat from nation-state actors, particularly the malicious cyber activity of the North Korean government, also known as HIDDEN COBRA.
“This alert by US-CERT reveals a simple piece of malware which creates a backdoor to provide the attacker direct access to the affected system. Using a custom protocol, likely to help it evade detection from typical network monitoring tools, ELECTRICFISH can pass data or accept an inbound connection that bypasses all system authentication,” said Nathan Wenzler, senior director of cybersecurity at Moss Adams.
According to the analysis, ELECTRICFISH is a command-line tool that accepts arguments for configuring the destination and source IPs and ports, a proxy IP, and a username and password for authenticating with a proxy server.
“The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session,” the US CERT alert said.
Authenticating with a proxy server i ..