Warning over 'ElectricFish' malware linked with North Korean APT Hidden Cobra

North Korea-linked ElectricFish malware bypasses proxy servers' authentication procedures

New malware linked to North Korea has been identified by US security agencies. Dubbed ElectricFish, it is primarily designed to exfiltrate data from a target's network and has been linked with the Hidden Cobra advanced persistent threat (APT) group.

Security researchers know the Hidden Cobra group by various different names, including Lazarus, ZINC, Guardians of Peace, NICKEL ACADEMY, and many others.

The warning was released yesterday in a joint malware analysis report (MAR) issued by the US Department of Homeland Security and Federal Bureau of Investigation.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

An analysis of the 32-bit tunneling tool found that the malware is capable of bypassing a server's security protocols.

When people connect their machines to the internet, a proxy server acts as the gateway. The primary job of the proxy server is to provide a firewall and web filter to machines to protect them from potential threats on the web.

But, ElectricFish can establish a session between the target system and the attackers, bypassing the proxy server's authentication procedures.

"The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address," explains the advisory.

It continues: "The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.

"The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system's required authentication to reach outside of the network."

Once a session is established, the malware can funnel traffic between the two systems to enable attackers to transfer stolen data from compromised machines to servers controlled by them.

The US agencies have advised administators and users to flag any suspicious activity associated with the malware. According to US-CERT, all such activities should be reported to the FBI Cyber Watch or the Cybersecurity and Infrastructure Security Agency.

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast