DHS-FBI: North Korea’s Hidden Cobra hackers are back with Electricfish malware. It implements a custom protocol that allows traffic to be funneled between a source and a destination IP address
New cyber attacks by North Korea’s state-sponsored hackers with Electricfish malware. It has been identified by Department of Homeland Security (DHS) and FBI cyber security experts in Hidden Cobra cyber warfare framework operations. The malicious code, a 32-bit Windows executable file, implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session. It can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.
How the APT’s malicious code works
According to the cyber security experts, after Electricfish authenticates with the configured proxy, it will immediately attempt to establish a session with the destination IP address, located outside of the target network and the source IP address. The header of the initial authentication packet, sent to both the source and destination systems, will be static except for two random bytes. Everything within this 34-byte header is static except for the bytes 0X2B6E, which will change during each connection attempt. Moreover, the North Korea’s malicious code is not detected by many antivirus engine. Hackers behind it should be the Lazarus APT, that in the last years used different tools to launch cyber warfare and espionage operations. From Typeframe to Sharpknot, passing through Hardrain, Badcall, Bankshot, Fallchil, Volgmer, Delta Charlie, Joanap and Brambul. The last one was HOPLIGHT.