Hello, welcome to the Thursday, May 10th, 2019 edition of the Sancton Storm Center's Stormcast. My name is Johannes Ulrich.

And today I'm recording from San Diego, California.

The Department of Homeland Security released a brief analysis of Malware that it is calling electric fish,

and that is, according to the Department of Homeland

Security associated with North Korea.

Now like I said, it's pretty brief what they're writing up here.

There are some code samples, but overall the write-up isn't terribly clear in what sort

of makes this malware all that special.

It appears to be a simple backdoor essentially that can be used via a proxy system.

The backdoor is authenticated, but it uses its own static username and password, so it does not rely on any authentication provided by the operating system.

Now, I can think sort of a couple possible reason why a particular tunnel like this may come in handy.

First of all, it's fairly flexible as far as what port is being used.

Since it's not using a standard protocol, it may not get flagged by some application signatures

that will, for example, alert on SSH running on a different port.

Also, it's not using the operating systems authentication features, so it probably won't get locked whenever it is being

used.

And like always, with covert channels like this, once you do know what to look for, it's

actually not all that hard to spot.

This particular malware starts out with a static header that's being used to essentially identify and authenticate

then to the receiver. Only two bytes of this header are intentionally randomized. KeyPass is a pretty

well respected open source password manager. Now if you want to download KeyPass, you better go to

keypass. info. KeyPass.com, while it does look like a site associated with the password

...