In an attempt to reduce exposure and enable network security, the Department of Homeland Security (DHS) in collaboration with the Federal Bureau of Investigation (FBI) has released a report analyzing a North Korean traffic tunneling tool named ELECTRICFISH.

The DHS and FBI have identified a malware variant used by the North Korean government, yet another indication of the continued threat from nation-state actors, particularly the malicious cyber activity of the North Korean government, also known as HIDDEN COBRA.

“This alert by US-CERT reveals a simple piece of malware which creates a backdoor to provide the attacker direct access to the affected system. Using a custom protocol, likely to help it evade detection from typical network monitoring tools, ELECTRICFISH can pass data or accept an inbound connection that bypasses all system authentication,” said Nathan Wenzler, senior director of cybersecurity at Moss Adams.

According to the analysis, ELECTRICFISH is a command-line tool that accepts arguments for configuring the destination and source IPs and ports, a proxy IP, and a username and password for authenticating with a proxy server.

“The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session,” the US CERT alert said.

Authenticating with a proxy server is a feature that “allows the actor to bypass the compromised system’s required authentication to reach outside of the network.”

The malware’s primary purpose is to funnel traffic between two IP addresses. “This type of connection, using a custom protocol instead of existing protocols like HTTP, is what we refer to as hidden tunnels and is used for command and control of remote systems, as well as for data exfiltration,” said Chris Morales, head of security analytics at Vectra.

“Hidden tunnels used as part of a targeted attack are meant to slip by an organization’s perimeter security controls and indicate a sophisticated attacker. These malicious actors will especially use hidden tunnels in vertical markets where they are also used for approved business applications. Hidden tunnels are used by stock ticker applications commonly found in financial services firms and by cloud access service brokers (CASB) that organizations in multiple industries use.”

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!