Hidden Cobra Releases ElectricFish Malware

ElectricFish is a newly observed backdoor created by the Hidden Cobra advanced persistent threat group for use in their own campaigns.

Also known as the Lazarus group, Hidden Cobra has been connected to a variety of attacks against financial institutions, critical industrial players, and targets chosen for valuable intellectual property worldwide.

At the time of publication, it is unclear how ElectricFish is distributed, although it is likely to be delivered post-exploitation as part of Hidden Cobra’s exfiltration processes.

Once installed, ElectricFish will initiate a connection with a command and control (C2) server using a bespoke protocol. It will then open the necessary ports to allow communication between the C2 server and other Hidden Cobra’s malware, such as TYPEFRAME and HOPLIGHT, on the affected device.

The malware implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a tunneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.

Indicators of Compromise

MD5 File Hashes

  • 8d9123cd2648020292b5c35edc9ae22e

SHA1 File Hashes

  • 0939363ff55d914e92635e5f693099fb28047602

SHA256 File Hashes

  • a1260fd3e9221d1bc5b9ece6e7a5a98669c79e124453f2ac58625085759ed3bb

For a downloadable copy of IOCs, see MAR-10135536-21.stix

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: