Malware Analysis Report (AR19-129A) (May 9, 2019)
A Malicious Analysis Report (MAR) has been released by the US DHS and FBI detailing a malware used by the North Korean government. The malware named “ELECTRICFISH” uses a custom protocol to allow traffic between a source and target IP address from a Windows executable file. Once a connection is established, a funneling session is initiated with a proxy server used to bypass required authentication. With this type of malware, the attacker is able to steal information from the victim’s system, sending it to servers controlled by the group.
Recommendation: The Cybersecurity and Infrastructure Security Agency (CISA) has issued the following recommendations for users and administrators: kept antivirus signatures and engines up to date. Keep operating system patches up-to-date. Disable File and Printer sharing services, if required use a strong password or Active Directory authentication. Restrict users’ permissions to install and run unwanted software. Do not add users to the location admin group, unless required. Enforce a strong password policy and implement regular password changes. Exercise caution when opening email attachments, even when the sender is expected and known. Enable a personal firewall, deny unsolicited connection requests. Scan and remove suspicious email attachments, make sure extension matches file header. Monitor users’ web behaviour and restrict access to unfavorable content. Exercise content when using removable media. Scan all software downloaded from the internet. Be aware of the latest threats and implement appropriate Access Control Lists (ACLs).
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.