A new malware identified as ElectricFish and has been linked to North-Korean APT group Lazarus to exfiltrate data from victims.
The malware is a command-line utility and its primary purpose is to funnel traffic between two IP addresses. The malware accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be funneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)