US Cyber Command releases malware samples linked to North Korean hackers

One sample appears to be the same piece of malware which the US agencies warned about in May

The US Cyber Command has released two new malware samples that are thought to be linked to North Korean hackers.

The military unit posted the malicious software samples on VirusTotal - a popular database used by security experts for malware and security research.

One of the malware samples is a dynamically linked library (DLL), while another is an executable file, one able to run by itself without requiring any other file.

The executable file appears to be the same piece of malware, named ElectricFish, which the US Department of Homeland Security and the Federal Bureau of Investigation warned about in May.

"When reviewing these samples, one appears to be a popular North Korean tunnelling tool referred to as ElectricFish and the other is confirmed to be a Fake TLS proxy tool," Kaspersky Senior Security Researcher Brian Bartholomew told CyberScoop.

According to Bartholomew, the malware sample that resembles ElectricFish enables hackers to use a compromised machine as a hop point to drive traffic through. This activity is almost "similar to what ElectricFish does," although in a different way.

Cybersecurity experts from CrowdStrike and Symantec told CyberScoop that the newly posted samples are likely linked with Lazarus Group - an umbrella term used to describe the hacking activity carried out to advance the interests of the North Korean government.

Lazarus Group is particularly notorious for abusing the SWIFT payment transfer system and for hacking banks. The group is also blamed for the Sony hack in 2016 and the WannaCry attack in 2017.

Some activities of Lazarus Group stem from the sanctions imposed on Pyongyang in past years, which have starved the government of financial resources.

Last month, a leaked UN report revealed that North Korea used 35 cyberattacks to steal $2 billion from foreign financial institutions, and spent the money on its weapons programmes. The confidential report claimed that North Korean hackers targeted banks and crypto-currency exchanges to collect cash.

John Hultquist, director of intelligence analysis at FireEye, links the malware samples to North Korean group APT38, which uses destructive malware to steal money from financial firms.

The US Cyber Command is a military unit and the sister division of the US National Security Agency (NSA). It focuses on offensive hacking operations sponsored by state-backed threat actors. The unit also operates its own Twitter account to inform cybersecurity experts about new malwares being launched by hacking groups worldwide. Such disclosures help the security researchers to fight threats arising from nation states.