US government releases new report on ELECTRICFISH malware linked to North Korean threat actors

• The Department of Homeland Security has published a detailed analysis of the malware.
• ELECTRICFISH has been attributed to threat actors linked with the North Korean government.

The Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI), has published a detailed analysis of a new malware called ELECTRICFISH. The report mainly sheds light on the functionality of the malware. It also covers the malware’s size, MD5, SHA1, and other details that were discovered in the analysis.

ELECTRICFISH is said to be a tunneling tool used by the infamous HIDDEN COBRA group. This group is affiliated with the North Korean government.

Details of the malware

• ELECTRICFISH is a command-line tool which is intended to funnel traffic between two IP addresses.
• The malware continuously tries to communicate with either the source or the destination IP address to initiate tunneling sessions. This is done after the malware is configured with a proxy server.
• The report by DHS describes the proxy configuration used by ELECTRICFISH. “The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network,” it reads.

Worth noting

Security researcher Darien Huss of Proofpoint noted that the new sample highlighted in the report was unique to the three samples found in 2018, all of which were uploaded on VirusTotal. In fact, other instances of ELECTRICFISH were also seen prior to the publication of the DHS report.

Precautions

In the report, DHS has also suggested measures to prevent attacks from ELECTRICFISH. It has mainly advised system administrators to review any configuration changes that occur in their computer network.