SYMBOLCOMMON_NAMEaka. SYNONYMS
win.electricfish (Back to overview)

ELECTRICFISH

Actor(s): Lazarus Group


The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-05-09CISACISA
@online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (AR19-129A)
ELECTRICFISH Lazarus Group
Yara Rules
[TLP:WHITE] win_electricfish_auto (20230125 | Detects win.electricfish.)
rule win_electricfish_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.electricfish."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 57 e8???????? 83c408 85c0 0f84f5020000 8b4d04 }
            // n = 7, score = 1200
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f84f5020000         | je                  0x2fb
            //   8b4d04               | mov                 ecx, dword ptr [ebp + 4]

        $sequence_1 = { 55 e8???????? 8bf0 6801000100 56 53 e8???????? }
            // n = 7, score = 1200
            //   55                   | push                ebp
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   6801000100           | push                0x10001
            //   56                   | push                esi
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_2 = { 83c404 85f6 7553 688d020000 68???????? 6888010000 e8???????? }
            // n = 7, score = 1200
            //   83c404               | add                 esp, 4
            //   85f6                 | test                esi, esi
            //   7553                 | jne                 0x55
            //   688d020000           | push                0x28d
            //   68????????           |                     
            //   6888010000           | push                0x188
            //   e8????????           |                     

        $sequence_3 = { c7460c01000000 8b17 8916 e8???????? 894604 3bc3 0f849d000000 }
            // n = 7, score = 1200
            //   c7460c01000000       | mov                 dword ptr [esi + 0xc], 1
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   8916                 | mov                 dword ptr [esi], edx
            //   e8????????           |                     
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   3bc3                 | cmp                 eax, ebx
            //   0f849d000000         | je                  0xa3

        $sequence_4 = { ebce 8b4c2418 51 e8???????? 83c404 ebbf 3bdd }
            // n = 7, score = 1200
            //   ebce                 | jmp                 0xffffffd0
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   ebbf                 | jmp                 0xffffffc1
            //   3bdd                 | cmp                 ebx, ebp

        $sequence_5 = { e8???????? 8bcb e8???????? 83c41c 8b8508ffffff 8b8d1cffffff 50 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   8b8508ffffff         | mov                 eax, dword ptr [ebp - 0xf8]
            //   8b8d1cffffff         | mov                 ecx, dword ptr [ebp - 0xe4]
            //   50                   | push                eax

        $sequence_6 = { 3bc8 753e 8b0d???????? 3bc8 741d 81f9???????? 7415 }
            // n = 7, score = 1200
            //   3bc8                 | cmp                 ecx, eax
            //   753e                 | jne                 0x40
            //   8b0d????????         |                     
            //   3bc8                 | cmp                 ecx, eax
            //   741d                 | je                  0x1f
            //   81f9????????         |                     
            //   7415                 | je                  0x17

        $sequence_7 = { 83c40c 6800100000 8d95ecefffff 68???????? 52 e8???????? 8d85ecefffff }
            // n = 7, score = 1200
            //   83c40c               | add                 esp, 0xc
            //   6800100000           | push                0x1000
            //   8d95ecefffff         | lea                 edx, [ebp - 0x1014]
            //   68????????           |                     
            //   52                   | push                edx
            //   e8????????           |                     
            //   8d85ecefffff         | lea                 eax, [ebp - 0x1014]

        $sequence_8 = { 682d030000 68???????? bb0a000000 68f4000000 eb6d 8d5c241c }
            // n = 6, score = 1200
            //   682d030000           | push                0x32d
            //   68????????           |                     
            //   bb0a000000           | mov                 ebx, 0xa
            //   68f4000000           | push                0xf4
            //   eb6d                 | jmp                 0x6f
            //   8d5c241c             | lea                 ebx, [esp + 0x1c]

        $sequence_9 = { e8???????? 8b4668 8b885c020000 8b9058020000 681f0b0000 }
            // n = 5, score = 1200
            //   e8????????           |                     
            //   8b4668               | mov                 eax, dword ptr [esi + 0x68]
            //   8b885c020000         | mov                 ecx, dword ptr [eax + 0x25c]
            //   8b9058020000         | mov                 edx, dword ptr [eax + 0x258]
            //   681f0b0000           | push                0xb1f

    condition:
        7 of them and filesize < 3162112
}
[TLP:WHITE] win_electricfish_w0   (20190815 | HiddenCobraElectricFish)
rule win_electricfish_w0 {   
      meta:   
          author = "AlienVault Labs"   
          type = "malware"   
          description = "HiddenCobraElectricFish"   
          copyright = "Alienvault Inc. 2019"   
          reference = "a3a1a43f0e631c10ab42e5404b61580e760e7d6f849ab8eb5848057a8c60cda2,7efe8a7ad9c6a6146bddd5aef9ceba477ca6973203a41f4b7f823095a90cb10f"   
          malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
          malpedia_version = "20190815"
          malpedia_license = "CC BY-NC-SA 4.0"
          malpedia_sharing = "TLP:WHITE"
      strings:   
          $x1 = "CCGC_LOG ===>"   
          $x2 = "<==RECV==="   
          $x3 = "aaaabbbbccccdddd"   
      condition:   
           uint16(0) == 0x5a4d and all of them   
}
Download all Yara Rules