The US Department of Homeland Security (DHS) and US Federal Bureau of Investigation (FBI) have officially revealed the IP addresses that they say are used by the North Korean government to administer the RAT FallChill.
Citing third-party reports, the DHS and FBI believe that Hidden Cobra, an APT whose malicious activity is linked to North Korea, has been using FallChill since 2016 to target defense, telecom and finance industries.
“The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim's system via dual proxies," the alert states. "FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors.”
FallChill and Hidden Cobra activity also appear to be mutually supporting each other. Hidden Cobra actors use a dropper to install FallChill to establish persistence and then use that presence to later install additional malware.
The IPs the agencies have associated with FallChill are:
The IOCs can be viewed here.
The alert details how Hidden Cobra stays in the shadows while it goes about its business. The APT group accomplishes this task by using layers of fake transport layer security between the attacker, malware and victim. It encodes this data “with RC4 encryption with the following key: [0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82],” the report states.
Once ensconced in a system, FallChill registers with its C2 server, transmitting the system's operating system (OS) version information, processor information, system name, local IP address information, unique generated ID, and MAC address. It's other built-in capabilities include the ability to retrieve information about the disks (including how much free space is available); search, read, write, move and execute files; and delete the malware and all of its artifacts.
To combat Hidden Cobra and FallChill, DHS recommends whitelisting approved programs, keeping up to date with security patches, keeping antivirus software current, restricting user permissions to install and update software, and avoiding the enabling of macros.