Electricfish Malware is Used in Lazarus’ Campaigns

Delaware, USA – May 13, 2019 – The new malware is used by adversaries to funnel traffic between two IP addresses covertly exfiltrating stolen information. The Federal Bureau of Investigation and the Department of Homeland Security published malware analysis report warning about a new tool used by the Lazarus group in recent attacks. Electricfish malware contains a custom protocol which enables traffic funneling between source and destination IP addresses. Threat actors can configure the malware with a proxy server/port and appropriate credentials to connect to an organization’s proxy and to bypass the compromised system’s required authentication to reach outside of an attacked network. Electricfish try to establish TCP sessions with the source IP address and the destination IP, and when successful, it launches its custom protocol to push the traffic between systems. Lazarus group can leverage this tool to stealthily transfer stolen data to their server bypassing security solutions and don’t raise the security team’s suspicion.

North Korean hackers armed with the new Hoplight trojan continue cyber espionage activity being a serious threat to both government entities and financial institutions. Security researchers associate several threat actors with the Lazarus group, including APT38 who stole over a hundred million dollars in four years of their activity. You can explore all the known techniques and tactics of the attackers in Threat Detection Marketplace, including the recently added Impact Tactic used by the group to destructive attacks and hide the traces of cybercrimes: https://tdm.socprime.com/att-ck/

UPDATE
Free rules to detect Electricfish malware are released: https://tdm.socprime.com/tdm/info/2157/