What FallChill does: FallChill is a fully functional RAT that gains control over victim machines to steal information and execute a variety of commands.
In use since 2016: North Korean hackers have likely been using FallChill to compromise U.S. organizations since last year, targeting the aerospace, telecommunications, and finance industries, specifically.
List of IOCs provided: The alert includes indicators of compromise, including IP addresses linked to infected systems as well as network signatures and host-based rules system administrators can use to detect and prevent infections.
Barkly blocks FallChill: Barkly blocks both FallChill and Destover — another strain of malware associated with this attack — from executing, preventing this infection from taking hold or doing any damage.
Find out how Barkly blocks new threats like this automatically
On Tuesday, the U.S. Department of Homeland Security (DHS) and the FBI issued a warning that North Korean hackers are actively infecting U.S. corporations with malware designed to gain control of their machines and steal sensitive information.
The alert identified the malware as "FallChill," a remote access trojan that installs a backdoor to control and siphon data from infected machines. DHS and FBI authorities have tied the use of FallChill to the North Korean hacking group "Hidden Cobra," which some experts believe was responsible for the WannaCry ransomware outbreak in May.
According to the alert, it's likely that Hidden Cobra has been using FallChill to compromise corporations since 2016, specifically targeting organizations in the aerospace, telecommunications, and finance industries. Businesses are urged to make prevention, detection, and removal of this threat "the highest priority."
According to the alert, FallChill is typically either dropped onto victims systems by other Hidden Cobra malware or unknowingly downloaded by victims when they visit websites that have been compromised by the hacking group.
Once on a machine, FallChill collects basic system information and establishes communication with a command and control (C2) server using a custom encrypted protocol with a header that resembles TLS/SSL packets. From there, FallChill appears to be working in combination with a variant of Destover malware to provide attackers with the following remote command and control capabilities on infected machines:
retrieve information about all installed disks, including the disk type and the amount of free space on the disk
create, start, and terminate a new process and its primary thread
search, read, write, move, and execute files
get and modify file or directory timestamps
change the current directory for a process or file
delete malware and artifacts associated with the malware from the infected system