Support 416-591-6711 option 1 or Email Us

The FBI Hook Electricfish Malware

Fri, 07 Jun 2019

In a recent report, The Department of Homeland Security and the FBI disclosed the discovery of a North Korean tunnelling tool, or malware, that creates a data tunnel between compromised computers and the hacker group Electricfish. Electric fish, in the waters, are known for their stealthy nature and ability to stun prey silently. Electricfish malware in the cyber-wild is similar to its namesake; it is a stealthy malware that makes prone its prey’s data with little warning. The FBI Hook Electricfish Malware

The malware is a command-line utility, the primary purpose of which is to funnel traffic between two IP addresses rapidly. The Electricfish malware is a 32-bit Windows file that executes a custom protocol configured with a proxy server, and proxy username and password. Thus, allowing hackers to circumvent the compromised system's requisite authentication to reach outside of the network and making it possible to connect to a system sitting inside of a proxy server.

The report states that “After the malware authenticates with the configured proxy, it will immediately attempt to establish a session with the destination IP address, located outside of the target network and the source IP address. The header of the initial authentication packet, sent to both the source and destination systems, will be static except for two random bytes.”[i]

Hidden Cobra

Electricfish is used by the North Korean hacking group Hidden Cobra, also known as Lazarus Group and the Guardians of Peace. Hidden Cobra, thought to be supported by the North Korean government, is known for launching cyber-attacks against high-value targets known for intellectual property such as aerospace, critical infrastructure, financial and media organizations around the world. This is the same hacking group associated with the 2014 Sony Pictures attack, 2017's WannaCry ransomware fiasco, and in April, the US government released a warning about Hoplight, another malware strain used by Hidden Cobra.[ii] 

What is Malware? 

Malware, or malicious code, is a program that is secretly implanted into another program “with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system.”[iii] Malware can cause widespread damage, instigate disruption, and necessitate extensive recovery efforts, all of which equals lost revenue. 

Not all malware is destructive – some malware is simply annoying, slowing computer performance or creating an overabundance of pop-up ads (Adware). Whereas, state-sponsored malware like Electricfish is much more nefarious, designed to steal data and spy. It's essential to know the different types of malware and what it means for your computer should your system become infected.


Spyware does exactly what you think from its name - it hides on your computer, monitoring everything from web activity to emails, even stealing usernames and passwords.


Ransomware holds the data on your computer hostage by encrypting your hard drive files and demanding payment (or ransom) to regain access to your data. The best way to beat a ransomware attack is not to pay the ransom, but instead to be proactive and back up your computer regularly to an external source. Then, if infected by ransomware, restore your files from your most recent backup.


Sometimes referred to as rogue security software, rogueware is malware that appears like internet security software. It often acts as an anti-virus program, performing false scans of your computer, alerting you to a virus that doesn't exist. The program will usually provide a link promising to clean up the "infection." If you click on the link, it will most likely take you to a compromised website, which in turn will allow the injection of malware onto your computer.


Bots, short for robots, are applications that carry out automated tasks on the victims' computer, such as an attack on another machine to create a botnet. A computer infected by a bot is often called a 'zombie' as it is under the control of a hacker and can no longer think for itself. Botnets can wreak all sorts of chaos from computer recruitment for Denial of Service (DoS) attacks or distributing spam.

Trojan Horses

Trojan horse malware, named such because it hides the malware in what appears to be a regular file to get it into the system, then "attacks" from inside (like the wooden horse used to trick the Troy soldiers into letting the enemy, concealed in a horse statue, into the City of Troy). Trojan horse malware can cause severe damage to your data, including deletion, modification, copying, stealing, and disruption of network activity. There are a multitude of Trojan virus variations online such as Backdoor Trojan, Remote Access Trojan and Infostealer Trojan, to name a few.

Macro Viruses

Macro viruses are a type of computer infection written to alter macros, (common commands that word-processing programs use). Macro viruses are found in Microsoft documents such as Word, Excel and PowerPoint, and won't do damage until launched which usually means just opening the document. Macro viruses can cause changes in documents and can access email accounts, sending out copies of itself to listed contacts.


A computer worms' goal is to replicate, spreading as many copies of itself as possible from computer to computer. A worm can replicate without human interaction and does not need to latch onto a program to cause damage. Worms can delete or modify files as well as injecting additional malware onto your computer.

Protecting Against Malware

Malware can get onto your computer via file sharing, removable media, downloading rogueware or going online with a device that has no internet security provisions installed.

Whether protecting against Electricfish or any other form of malware, the following list of cybersecurity best practices, most of which are just good cyber hygiene, will help protect your company’s system.

          Have anti-virus software installed on your devices and maintain up-to-date anti-virus software

          Keep all operating system patches up-to-date

          Disable file sharing services. If file share services are required, use strong passwords and authentication

          Restrict users' permissions to install and run unwanted software applications

          Create and enforce a firm password policy and ensure regular password changes occur

          Educate employees about email attachments and phishing scams, and use caution when opening attachments even if the sender appears to be known 

          Enable a personal firewall configured to deny unsolicited connection requests on all organization workstations

          Monitor all users' web browsing habits and restrict access to sites that are more likely to house unfavourable content

          Exercise caution with removable media usages like USBs and external drives

         Scan all downloaded software before implementing

          Stay current with new threats and cyber attack trends 

          Have an incident response plan that includes malware, keep it current and practice it

Always be cautious when cruising around the internet, avoid unfamiliar or sketchy websites, be suspicious of redirects, and avoid downloading and file sharing from unofficial sites.



‹ Back