SYMBOLCOMMON_NAMEaka. SYNONYMS
win.electricfish (Back to overview)

ELECTRICFISH

Actor(s): Lazarus Group


The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-05-09CISACISA
@online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (AR19-129A)
ELECTRICFISH Lazarus Group
Yara Rules
[TLP:WHITE] win_electricfish_auto (20210616 | Detects win.electricfish.)
rule win_electricfish_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.electricfish."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4e0c 51 e8???????? 83c40c 837e1800 7413 8b5614 }
            // n = 7, score = 1200
            //   8b4e0c               | mov                 ecx, dword ptr [esi + 0xc]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   837e1800             | cmp                 dword ptr [esi + 0x18], 0
            //   7413                 | je                  0x15
            //   8b5614               | mov                 edx, dword ptr [esi + 0x14]

        $sequence_1 = { c70000000000 8b07 85c0 0f85c0010000 8bc3 8d5001 8d9b00000000 }
            // n = 7, score = 1200
            //   c70000000000         | mov                 dword ptr [eax], 0
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   85c0                 | test                eax, eax
            //   0f85c0010000         | jne                 0x1c6
            //   8bc3                 | mov                 eax, ebx
            //   8d5001               | lea                 edx, dword ptr [eax + 1]
            //   8d9b00000000         | lea                 ebx, dword ptr [ebx]

        $sequence_2 = { e8???????? 8b4c242c 68???????? 51 e8???????? 83c414 5f }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   8b4c242c             | mov                 ecx, dword ptr [esp + 0x2c]
            //   68????????           |                     
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   5f                   | pop                 edi

        $sequence_3 = { e8???????? 57 89461c e8???????? 83c408 eb88 814b4800020000 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   57                   | push                edi
            //   89461c               | mov                 dword ptr [esi + 0x1c], eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   eb88                 | jmp                 0xffffff8a
            //   814b4800020000       | or                  dword ptr [ebx + 0x48], 0x200

        $sequence_4 = { e8???????? 83c40c e9???????? 8bcf 6a10 8d7c2414 e8???????? }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   e9????????           |                     
            //   8bcf                 | mov                 ecx, edi
            //   6a10                 | push                0x10
            //   8d7c2414             | lea                 edi, dword ptr [esp + 0x14]
            //   e8????????           |                     

        $sequence_5 = { e8???????? 83c414 e9???????? 891f 837d0000 0f85b2000000 0fb64d00 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   e9????????           |                     
            //   891f                 | mov                 dword ptr [edi], ebx
            //   837d0000             | cmp                 dword ptr [ebp], 0
            //   0f85b2000000         | jne                 0xb8
            //   0fb64d00             | movzx               ecx, byte ptr [ebp]

        $sequence_6 = { c3 68f0020000 68???????? 6a07 683f010000 6a14 e8???????? }
            // n = 7, score = 1200
            //   c3                   | ret                 
            //   68f0020000           | push                0x2f0
            //   68????????           |                     
            //   6a07                 | push                7
            //   683f010000           | push                0x13f
            //   6a14                 | push                0x14
            //   e8????????           |                     

        $sequence_7 = { b801000000 5e 5d c3 8b5614 52 ff15???????? }
            // n = 7, score = 1200
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b5614               | mov                 edx, dword ptr [esi + 0x14]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_8 = { c1ef10 33db 0bdd 8bac24d8120000 897c2410 8bbc240c040000 0b7c2410 }
            // n = 7, score = 1200
            //   c1ef10               | shr                 edi, 0x10
            //   33db                 | xor                 ebx, ebx
            //   0bdd                 | or                  ebx, ebp
            //   8bac24d8120000       | mov                 ebp, dword ptr [esp + 0x12d8]
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   8bbc240c040000       | mov                 edi, dword ptr [esp + 0x40c]
            //   0b7c2410             | or                  edi, dword ptr [esp + 0x10]

        $sequence_9 = { e8???????? 83c408 85c0 7455 8b5604 8b4264 8b483c }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7455                 | je                  0x57
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   8b4264               | mov                 eax, dword ptr [edx + 0x64]
            //   8b483c               | mov                 ecx, dword ptr [eax + 0x3c]

    condition:
        7 of them and filesize < 3162112
}
[TLP:WHITE] win_electricfish_w0   (20190815 | HiddenCobraElectricFish)
rule win_electricfish_w0 {   
      meta:   
          author = "AlienVault Labs"   
          type = "malware"   
          description = "HiddenCobraElectricFish"   
          copyright = "Alienvault Inc. 2019"   
          reference = "a3a1a43f0e631c10ab42e5404b61580e760e7d6f849ab8eb5848057a8c60cda2,7efe8a7ad9c6a6146bddd5aef9ceba477ca6973203a41f4b7f823095a90cb10f"   
          malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
          malpedia_version = "20190815"
          malpedia_license = "CC BY-NC-SA 4.0"
          malpedia_sharing = "TLP:WHITE"
      strings:   
          $x1 = "CCGC_LOG ===>"   
          $x2 = "<==RECV==="   
          $x3 = "aaaabbbbccccdddd"   
      condition:   
           uint16(0) == 0x5a4d and all of them   
}
Download all Yara Rules