The US Department of Homeland Security and the FBI have recently identified a group of IP addresses associated with a Remote Administration Tool (RAT) used by the North Korean government known as FALLCHILL. The U.S. Government refers to this malicious cyber activity by the North Korean government as HIDDEN COBRA in a US CERT alert issued on November 14th. A significant number of the identified network and system indicators of compromise (IOCs) identified have been independently verified by FortiGuard Labs.
According to third party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that threat actors can issue from a command and control server to a victim’s compromised system via dual proxies.
Another DHS CERT advisory reports, “FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.” It is important to note that reports like this are usually part of our sharing agreements and processes, so it’s more than likely that when customers receive this type of report, its intelligence will already be in ours, or it’s in the process of being ingested after validation.
FortiGuard Labs has been actively monitoring FALLCHILL and validating all IOCs, whether we discovered them ourselves through one of our millions of sensors deployed around the world, or collected from the hundreds of threat sharing feeds we subscribe to. Our comprehensive threat information-sharing program includes Governments, Certs, and Strategic Partners from around the world.
In order to avoid creating any false positives for our customers, we also perform additional validations on all reported IOCs to ensure they are accurate. All IOCs that have been validated as part of FALLCHILL are now an active part of our Threat Intelligence system.
Internal testing by FortiGuard Labs shows that all networks and devices being protected by FortiGate solutions running the latest updates were automatically protected from this malware. In addition, a fine-grained IPS signature is being created, and barring no unforeseen issues will be released on Friday, November. It will be identified as FALLCHILL.Botnet.
Organizations that identify any of the IOCs identified as part of the FALLCHILL malware should refer to the ‘Detection and Response’ and ‘Mitigation Strategies’ sections found in the US-CERT Alert (TA17-318A).