FBI Detects New Surveillance Malware Linked to North Korea’s Lazarus Group

Critical networks are caught in the crossfire of the current battle over industrial secrets, tech patents, military operations and financial information. Precisely a month after the US The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint security advisory warning that a critical backdoor Trojan was in the wild, a new alert is released.

According to the latest malware analysis report, while thoroughly looking into illegal online activities associated with North Korean state-sponsored group Lazarus, government security experts blocked a brand new malware variant dubbed ELECTRICFISH. Last month’s HOPLIGHT targeted critical infrastructures to infect them with spyware. As well, ELECTRICFISH is a surveillance weapon.

Deploying a reverse engineering technique on a malicious 32-bit Windows executable file, the malware implements “a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address,” according to analytics efforts. “The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.” Hackers can evade detection by connecting to the system inside of a proxy server thanks to the malware’s feature to be set up with a proxy server/port and proxy username and password, experts explain. The stolen information is sent to the criminals’ server.

“The header of the initial authentication packet, sent to both the source and destination systems, will be static except for two random bytes,” reads the analysis. “Everything within this 34-byte header is static except for the bytes 0X2B6E, which will change during each connection attempt.”

Hidden Cobra, more famously known as Lazarus Group and for allegedly being on the North Korean government’s paycheck, has a malicious cyberespionage activity spanned almost a decade, claiming cryptocurrency attacks and sophisticated techniques that targeted the government of South Korea, Sony Pictures and countless bank heists. However, its most notorious worm cyberattack is WannaCry that capitalized on and NSA exploit and was directly linked to North Korea. The complete government investigation into the group’s activity can be reviewed here.

The report includes some guidelines to help enterprises and organizations mitigate an infection and boost their systems’ cybersecurity. These include regularly updating the antivirus, maintaining the operating system optimal and patched, using strong passwords and authentication for shared services, restricting user access to administrator groups and reconsidering permission to install software on company networks, teaching employees about phishing techniques and the risks of opening a potential infected email attachment, keeping a close eye on all internet activity and browsing history and performing regular malware scans of all software and systems.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Luana Pascu. Read the original post at:

Secure Coding Practices