Homeland Security Warns of North Korean Malware Variant

Homeland Security Warns of North Korean Malware Variant

A cybersecurity alert was issued Thursday, May 9, 2019, regarding a new malicious malware variant being used by North Korea known as ELECTRICFISH. The United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are distributing this Malware Analysis Report (MAR) to enable network defense and reduce exposure to the North Korean government's malicious cyber activity. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

What It Is:
This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions, and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report provides an analysis of one malicious 32-bit Windows executable file known as ELECTRICFISH. The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the bad actor to bypass the compromised system’s required authentication to reach outside of the network.

ELECTRICFISH is a malicious Windows 32-bit executable. The application is a command-line utility and its primary purpose is to funnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be funneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

After the malware authenticates with the configured proxy, it will immediately attempt to establish a session with the destination IP address, located outside of the target network and the source IP address. The header of the initial authentication packet, sent to both the source and destination systems, will be static except for two random bytes. Everything within this 34-byte header is static except for the bytes 0X2B6E, which will change during each connection attempt. Displayed below is the packet header.

--Begin Authentication Packet Sent to Destination System--
6161616162626262636363636464646400000000000000002B6E0000040000009210
--End Authentication Packet Sent to Destination System--

For a downloadable copy of the IOCs, see:

MAR-10135536-21.stix

What It Means:
Users or administrators of your business network should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

What To Do:
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrator's group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in the National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops."

Contact Information for Government Agencies:

• 1-888-282-0870
NCCICCustomerService@us-cert.gov (UNCLASS)
us-cert@dhs.sgov.gov (SIPRNET)
us-cert@dhs.ic.gov (JWICS)

Malware samples can be submitted via three methods:

Web: https://malware.us-cert.gov
E-Mail: submit@malware.us-cert.gov
FTP: ftp.malware.us-cert.gov (anonymous)

CISA and Dox encourage you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

Negative Consequences of Lost or Stolen Data:
The loss or theft of proprietary data can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

• Temporary or permanent loss of sensitive or proprietary information.
• Disruption to regular operations.
• Financial losses incurred to restore systems and files.
• Potential harm to an organization’s reputation.

Should your agency or business need assistance with issues arising from malware, Dox can help. Please contact Dox if there is anything we can do to assist in securing your agency, business, or organization.

Thank you for your time and stay safe online.