ElectricFish is a newly observed backdoor created by the Hidden Cobra advanced persistent threat group for use in their own campaigns.
Also known as the Lazarus group, Hidden Cobra has been connected to a variety of attacks against financial institutions, critical industrial players, and targets chosen for valuable intellectual property worldwide.
At the time of publication, it is unclear how ElectricFish is distributed, although it is likely to be delivered post-exploitation as part of Hidden Cobra’s exfiltration processes.
Once installed, ElectricFish will initiate a connection with a command and control (C2) server using a bespoke protocol. It will then open the necessary ports to allow communication between the C2 server and other Hidden Cobra’s malware, such as TYPEFRAME and HOPLIGHT, on the affected device.
The malware implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a tunneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.
Indicators of Compromise
MD5 File Hashes
SHA1 File Hashes
SHA256 File Hashes
For a downloadable copy of IOCs, see MAR-10135536-21.stix
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.