SYMBOLCOMMON_NAMEaka. SYNONYMS
win.electricfish (Back to overview)

ELECTRICFISH

Actor(s): Lazarus Group


The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-05-09CISACISA
@online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (AR19-129A)
ELECTRICFISH Lazarus Group
Yara Rules
[TLP:WHITE] win_electricfish_auto (20211008 | Detects win.electricfish.)
rule win_electricfish_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.electricfish."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c410 85c0 744d 837f4c00 741d e8???????? }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   744d                 | je                  0x4f
            //   837f4c00             | cmp                 dword ptr [edi + 0x4c], 0
            //   741d                 | je                  0x1f
            //   e8????????           |                     

        $sequence_1 = { eb16 8b0f 8b01 f7d0 eb0e 837f0400 7504 }
            // n = 7, score = 1100
            //   eb16                 | jmp                 0x18
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   f7d0                 | not                 eax
            //   eb0e                 | jmp                 0x10
            //   837f0400             | cmp                 dword ptr [edi + 4], 0
            //   7504                 | jne                 6

        $sequence_2 = { eb05 bd01000000 43 3b5c2420 0f8c5cfeffff 5f 5e }
            // n = 7, score = 1100
            //   eb05                 | jmp                 7
            //   bd01000000           | mov                 ebp, 1
            //   43                   | inc                 ebx
            //   3b5c2420             | cmp                 ebx, dword ptr [esp + 0x20]
            //   0f8c5cfeffff         | jl                  0xfffffe62
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_3 = { e8???????? 53 55 56 8bf1 8b4650 8bae80000000 }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8b4650               | mov                 eax, dword ptr [esi + 0x50]
            //   8bae80000000         | mov                 ebp, dword ptr [esi + 0x80]

        $sequence_4 = { c744241001000000 896c2414 84c0 740d 392f 7509 5f }
            // n = 7, score = 1100
            //   c744241001000000     | mov                 dword ptr [esp + 0x10], 1
            //   896c2414             | mov                 dword ptr [esp + 0x14], ebp
            //   84c0                 | test                al, al
            //   740d                 | je                  0xf
            //   392f                 | cmp                 dword ptr [edi], ebp
            //   7509                 | jne                 0xb
            //   5f                   | pop                 edi

        $sequence_5 = { e8???????? 8be8 83c40c 896c2414 85ed 757b 68b7040000 }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax
            //   83c40c               | add                 esp, 0xc
            //   896c2414             | mov                 dword ptr [esp + 0x14], ebp
            //   85ed                 | test                ebp, ebp
            //   757b                 | jne                 0x7d
            //   68b7040000           | push                0x4b7

        $sequence_6 = { 89bc24c4120000 8bbc24a0120000 8bac244c130000 13ac24ac120000 03fb 8b9c24a4120000 13dd }
            // n = 7, score = 1100
            //   89bc24c4120000       | mov                 dword ptr [esp + 0x12c4], edi
            //   8bbc24a0120000       | mov                 edi, dword ptr [esp + 0x12a0]
            //   8bac244c130000       | mov                 ebp, dword ptr [esp + 0x134c]
            //   13ac24ac120000       | adc                 ebp, dword ptr [esp + 0x12ac]
            //   03fb                 | add                 edi, ebx
            //   8b9c24a4120000       | mov                 ebx, dword ptr [esp + 0x12a4]
            //   13dd                 | adc                 ebx, ebp

        $sequence_7 = { e8???????? 8bf8 83c404 83ff40 7617 68d7000000 68???????? }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c404               | add                 esp, 4
            //   83ff40               | cmp                 edi, 0x40
            //   7617                 | jbe                 0x19
            //   68d7000000           | push                0xd7
            //   68????????           |                     

        $sequence_8 = { 8d4b07 3bc1 0f8268faffff c60700 8b542410 c6420110 8b442410 }
            // n = 7, score = 1100
            //   8d4b07               | lea                 ecx, dword ptr [ebx + 7]
            //   3bc1                 | cmp                 eax, ecx
            //   0f8268faffff         | jb                  0xfffffa6e
            //   c60700               | mov                 byte ptr [edi], 0
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   c6420110             | mov                 byte ptr [edx + 1], 0x10
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]

        $sequence_9 = { e8???????? 8b4c2414 03d8 13ea 8b942484000000 33c0 50 }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   03d8                 | add                 ebx, eax
            //   13ea                 | adc                 ebp, edx
            //   8b942484000000       | mov                 edx, dword ptr [esp + 0x84]
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax

    condition:
        7 of them and filesize < 3162112
}
[TLP:WHITE] win_electricfish_w0   (20190815 | HiddenCobraElectricFish)
rule win_electricfish_w0 {   
      meta:   
          author = "AlienVault Labs"   
          type = "malware"   
          description = "HiddenCobraElectricFish"   
          copyright = "Alienvault Inc. 2019"   
          reference = "a3a1a43f0e631c10ab42e5404b61580e760e7d6f849ab8eb5848057a8c60cda2,7efe8a7ad9c6a6146bddd5aef9ceba477ca6973203a41f4b7f823095a90cb10f"   
          malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish"
          malpedia_version = "20190815"
          malpedia_license = "CC BY-NC-SA 4.0"
          malpedia_sharing = "TLP:WHITE"
      strings:   
          $x1 = "CCGC_LOG ===>"   
          $x2 = "<==RECV==="   
          $x3 = "aaaabbbbccccdddd"   
      condition:   
           uint16(0) == 0x5a4d and all of them   
}
Download all Yara Rules