Rewterz Threat Alert – New ELECTRICFISH Tool by HIDDEN COBRA

Severity

High

Analysis Summary

A new malware identified as ElectricFish and has been linked to North-Korean APT group Lazarus to exfiltrate data from victims.

The malware is a command-line utility and its primary purpose is to funnel traffic between two IP addresses. The malware accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be funneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

Impact

Authentication Bypass

Indicators of Compromise

Filename

• hs.exe
• 1JF.exe
• ccgc.exe

Malware Hash (MD5/SHA1/SH256)

• 5d25465ec4d51c6b61947990fb148d0b1ee8a344069d5ac956ef4ea6a61af879
• 7efe8a7ad9c6a6146bddd5aef9ceba477ca6973203a41f4b7f823095a90cb10f
• a3a1a43f0e631c10ab42e5404b61580e760e7d6f849ab8eb5848057a8c60cda2
• df934e2d23507a7f413580eae11bb7dc
• 41030182de3899cded5531fb0dad5a78
• f9ced93b94c8c8a8c0de20028300e11d

Remediation

• Block the threat indicators at their respective controls.
• Never open/download unverified email attachments sent from unknown senders.