Severity
High
Analysis Summary
A new malware identified as ElectricFish and has been linked to North-Korean APT group Lazarus to exfiltrate data from victims.
The malware is a command-line utility and its primary purpose is to funnel traffic between two IP addresses. The malware accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be funneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.
Impact
Authentication Bypass
Indicators of Compromise
Filename
- hs.exe
- 1JF.exe
- ccgc.exe
Malware Hash (MD5/SHA1/SH256)
- 5d25465ec4d51c6b61947990fb148d0b1ee8a344069d5ac956ef4ea6a61af879
- 7efe8a7ad9c6a6146bddd5aef9ceba477ca6973203a41f4b7f823095a90cb10f
- a3a1a43f0e631c10ab42e5404b61580e760e7d6f849ab8eb5848057a8c60cda2
- df934e2d23507a7f413580eae11bb7dc
- 41030182de3899cded5531fb0dad5a78
- f9ced93b94c8c8a8c0de20028300e11d
Remediation
- Block the threat indicators at their respective controls.
- Never open/download unverified email attachments sent from unknown senders.