The US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) recently released a joint security advisory warning of ElectricFish, a tool used by the North Korean government-supported hacker group Hidden Cobra to remind government agencies and civil society organizations to stay cautious.
Hidden Cobra has many aliases, including Lazarus, Guardians of Peace, and Zinc. It has attacked Korean media organizations. It also was the one which invaded Sony and leak confidential Sony data. Last year, it attacked cryptocurrency users. McAfee believes that Hidden Cobra has penetrated 87 organizations in 24 countries.
ElectricFish is the latest attack tool used by Hidden Cobra Group. After detecting the tool, DHS and FBI analyzed it and made it public. They proposed mitigation suggestions and offered to help the outside world identify and prevent the malware.
The security advisory warning reads, “The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.”
According to the description, ElectricFish is a command line tool used to transfer traffic between two IP addresses, source and destination. It accepts commands from the hacker, configures the source IP address/transport port, destination IP address/transport port, proxy IP address/transport port, and proxy server certificate.
Then it will try to establish a TCP connection between the source IP and the destination IP, and then use a customized protocol to quickly guide the traffic between the two machines. If necessary, the proxy IP address can be used to access the target IP address and be established immediately. The destination IP address outside the target network and the connection between the source IP addresses.
The Hidden Cobra is also capable of modifying registry settings, both creating and killing processes, and downloading files, among other features. It is supposed that the malware has been issued since the emergence of the global WannaCry ransomware outbreak in 2017. People should pay more attention to this threat.
Published by Emerson L. Sullivan & last updated on May 17, 2019 2:29 am