Threat Coverage

May 13, 2019

Hacker’s Playbook Updated with Methods for US-CERT Alert AR19-129A


SafeBreach Labs has updated the Hacker’s Playbook™ with new simulations for attacks described in US-CERT Alert (AR19-129A) which describes a new technique called “ELECTRICFISH” originating from North Korean (aka. “HIDDEN COBRA”).

This alert is concerned with a malicious 32-bit Windows executable file. The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. It then continuously attempts to reach out to the source and the destination system, which allows either side to initiate a funneling session. The malware can be configured with a proxy server/port and proxy username and password which allows connectivity to a system sitting inside of a proxy server. This allows the actor to bypass the compromised system’s required authentication to reach outside of the network.

These attacks have appeared in healthcare, finance, government, and defense industries. Their widespread availability presents a challenge for network defenses and threat-actor attribution. SafeBreach recommends all industries and businesses simulate the tools described in this alert to identify whether or not they are protected against these attacks.

To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls available now:

Newly developed playbook methods related to AR19-129A

Playbook # 2287 – Write ELECTRICFISH malware to disk (WINDOWS) (Host-Level)

  • Endpoint Controls – Are security controls or hardening in place to prevent saving the malicious files to local disk?

Playbook # 2288 – Transfer of ELECTRICFISH malware over HTTP/S (Lateral Movement)

  • Network Controls – Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 2289 – Transfer of ELECTRICFISH malware over HTTP/S (Infiltration)

  • Network Controls – Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 2290 – Email ELECTRICFISH malware as a ZIP attachment (Lateral Movement)

  • Email Controls – Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 2291 – Email ELECTRICFISH malware as a ZIP attachment (Infiltration)

  • Email Controls – Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 2292 – Communication with Proxy Server using ELECTRICFISH Authentication Protocol (Infiltration)

Network Controls – Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Get the latest
research and news