In an attempt to reduce exposure and enable network security, the Department of Homeland Security (DHS) in collaboration with the Federal Bureau of Investigation (FBI) has released a report analyzing a North Korean traffic tunneling tool named ELECTRICFISH.
The DHS and FBI have identified a malware variant used by the North Korean government, yet another indication of the continued threat from nation-state actors, particularly the malicious cyber activity of the North Korean government, also known as HIDDEN COBRA.
“This alert by US-CERT reveals a simple piece of malware which creates a backdoor to provide the attacker direct access to the affected system. Using a custom protocol, likely to help it evade detection from typical network monitoring tools, ELECTRICFISH can pass data or accept an inbound connection that bypasses all system authentication,” said Nathan Wenzler, senior director of cybersecurity at Moss Adams.
According to the analysis, ELECTRICFISH is a command-line tool that accepts arguments for configuring the destination and source IPs and ports, a proxy IP, and a username and password for authenticating with a proxy server.
“The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session,” the US CERT alert said.
Authenticating with a proxy server is a feature that “allows the actor to bypass the compromised system’s required authentication to reach outside of the network.”
The malware’s primary purpose is to funnel traffic between two IP addresses. “This type of connection, using a custom protocol instead of existing protocols like HTTP, is what we refer to as hidden tunnels and is used for command and control of remote systems, as well as for data exfiltration,” said Chris Morales, head of security analytics at Vectra.
“Hidden tunnels used as part of a targeted attack are meant to slip by an organization’s perimeter security controls and indicate a sophisticated attacker. These malicious actors will especially use hidden tunnels in vertical markets where they are also used for approved business applications. Hidden tunnels are used by stock ticker applications commonly found in financial services firms and by cloud access service brokers (CASB) that organizations in multiple industries use.”