Critical networks are caught in the crossfire of the battle over industrial secrets, tech patents, military operations and financial information. A month after the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a joint security advisory warning that a critical backdoor Trojan was in the wild, comes a new alert.
According to the latest malware analysis, government security experts looking into illegal online activities associated with North Korean state-sponsored group Lazarus blocked a brand new malware variant dubbed ELECTRICFISH, a surveillance weapon. Last month’s HOPLIGHT targeted critical infrastructures to infect them with spyware.
Deploying a reverse engineering technique on a malicious 32-bit Windows executable file, the malware implements "a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address,” according to analytics efforts. “The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.”
Hackers can evade detection by connecting to the system inside of a proxy server thanks to a malware feature to be set up with a proxy server/port and proxy username and password, experts explain. The stolen information is sent to the criminals’ server.
"The header of the initial authentication packet, sent to both the source and destination systems, will be static except for two random bytes," reads the analysis. "Everything within this 34-byte header is static except for the bytes 0X2B6E, which will change during each connection attempt."
Hidden Cobra, a gang more famously known as Lazarus Group allegedly financed by the North Korean government, has a nearly decade-long history of malicious cyberespionage activity. The group is credited with cryptocurrency attacks and sophisticated techniques that have targeted the government of South Korea, Sony Pictures and have been used in countless bank heists. However, its most notorious worm cyberattack is WannaCry, which capitalized on an NSA exploit and was directly linked to North Korea. The complete government investigation into the group’s activity can be reviewed here.
The report includes some guidelines to help enterprises and organizations mitigate an infection and boost their systems’ cybersecurity. These include regularly updating the antivirus, optimally maintaining and patching the operating system, using strong passwords and authentication for shared services, restricting user access to administrator groups and reconsidering permission to install software on company networks. They also recommend teaching employees about phishing techniques and the risks of opening a potential infected email attachment, keeping a close eye on all internet activity and browsing history and regularly scanning all software and systems for malware.