The North Korean APT group Hidden Cobra is using new variants of malware, dubbed ELECTRICFISH and BADCALL.
The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a tunneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.
The sample files discovered for BADCALL variant are 32-bit Windows executable files that function as proxy servers and implement a “Fake TLS”.
Another Android Package Kit (APK) file designed to run on Android platforms is also found, that works as a fully functioning Remote Access Tool (RAT).
Malware Hash (MD5/SHA1/SH256)