Security Alert
Jonathan Crowe
Nov 2017

North Korean "FallChill" Malware Infecting U.S. Businesses

A joint alert issued by the U.S. Department of Homeland Security and the FBI identifies a new strain of malware that should be given "the highest priority."

Key Details

  • New malware tied to North Korean hackers: According to the alert, FallChill is being used by the North Korean hacking group "Hidden Cobra," the same group some experts believe was responsible for the WannaCry ransomware outbreak in May.
  • What FallChill does: FallChill is a fully functional RAT that gains control over victim machines to steal information and execute a variety of commands.
  • In use since 2016: North Korean hackers have likely been using FallChill to compromise U.S. organizations since last year, targeting the aerospace, telecommunications, and finance industries, specifically.
  • List of IOCs provided: The alert includes indicators of compromise, including IP addresses linked to infected systems as well as network signatures and host-based rules system administrators can use to detect and prevent infections.
  • Barkly blocks FallChill: Barkly blocks both FallChill and Destover — another strain of malware associated with this attack — from executing, preventing this infection from taking hold or doing any damage.
  • empty
  • empty
  • empty

Find out how Barkly blocks new threats like this automatically
Learn how our protection works

On Tuesday, the U.S. Department of Homeland Security (DHS) and the FBI issued a warning that North Korean hackers are actively infecting U.S. corporations with malware designed to gain control of their machines and steal sensitive information. 

The alert identified the malware as "FallChill," a remote access trojan that installs a backdoor to control and siphon data from infected machines. DHS and FBI authorities have tied the use of FallChill to the North Korean hacking group "Hidden Cobra," which some experts believe was responsible for the WannaCry ransomware outbreak in May. 

According to the alert, it's likely that Hidden Cobra has been using FallChill to compromise corporations since 2016, specifically targeting organizations in the aerospace, telecommunications, and finance industries. Businesses are urged to make prevention, detection, and removal of this threat "the highest priority."

To help organizations do that, authorities have provided indicators of compromise (IOCs) as well as a list of network signatures and YARA rules that network admins can use to detect malicious activity associated with Hidden Cobra.

How FallChill works

According to the alert, FallChill is typically either dropped onto victims systems by other Hidden Cobra malware or unknowingly downloaded by victims when they visit websites that have been compromised by the hacking group. 

Once on a machine, FallChill collects basic system information and establishes communication with a command and control (C2) server using a custom encrypted protocol with a header that resembles TLS/SSL packets. From there, FallChill appears to be working in combination with a variant of Destover malware to provide attackers with the following remote command and control capabilities on infected machines:

  • retrieve information about all installed disks, including the disk type and the amount of free space on the disk
  • create, start, and terminate a new process and its primary thread
  • search, read, write, move, and execute files
  • get and modify file or directory timestamps
  • change the current directory for a process or file
  • delete malware and artifacts associated with the malware from the infected system

If Destover sounds familiar that's because it's the malware experts believe was used in the Sony Pictures Entertainment hack back in 2014

Detecting and preventing FallChill infections

Organizations are advised to use the IOCs, network signatures, and YARA rules to identify whether their systems may have been infected by FallChill. A full list can be found on the US-CERT site here

Barkly blocks FallChill automatically, preventing any data loss and keeping machines clear of infection.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

See how Barkly blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.