“FALLCHILL”: DHS, FBI Release Details On North Korean Hacking Tools
As tensions between the U.S. and North Korea mount, the DHS and FBI have just issued a pair of technical alerts about cyber attacks which they say are sponsored by the North Korean government and that have been targeting the aerospace, telecommunications and financial industries since 2016. According to the alert, North Korean hackers have used a type of malware referred to as “FALLCHILL” to gain entry to computer systems and compromise network systems.
Today, DHS and FBI released a pair of Joint Technical Alerts (TA17-318A and TA17-318B) that provide details on tools and infrastructure used by North Korea to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.
The North Korean government malicious cyber activity noted in these alerts is part of a long-term campaign of cyber-enabled operations that impact the U.S. Government and its citizens. Working closely with our interagency, industry and international partners, DHS is constantly working to arm network defenders with the tools they need to identify, detect and disrupt state and non-state actors targeting the networks and systems of our country and our allies.
Per the pair of techinical alerts, the FALLCHILL malware provides hackers with wide latitude to monitor and disrupt infected networks. The malware typically gains access to systems as a file sent via other North Korean malware or when users unknowingly downloaded it by visiting sites compromised by the hackers.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the FALLCHILL malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.
During analysis of the infrastructure used by FALLCHILL malware, the U.S. Government identified 83 network nodes. Additionally, using publicly available registration information, the U.S. Government identified the countries in which the infected IP addresses are registered.
These latest technical alerts follow similar updates from DHS and the FBI from earlier this summer which highlighted malware they claimed North Korean hackers were utilizing to lauch DDoS attacks in the U.S. Per The Hill:
The agencies identified IP addresses associated with a malware known as DeltaCharlie, which North Korea uses to launch distributed denial-of-service (DDoS) attacks.
The alert called for institutions to come forward with any information they might have about the nation’s cyber activity, which the U.S. government refers to as “Hidden Cobra.”
“If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation,” the alert reads.
The DHS and FBI also highlighted some vulnerabilities that North Korea has been known to exploit and recommended organizations upgrade to the latest versions of Adobe Flash Player, Microsoft Silverlight and Hangui Word Processor, or delete them altogether if the programs aren’t needed.
Of course, North Korea has routinely denied involvement in cyber attacks against other countries.