Security Experts:

U.S. Government Shares Details of FALLCHILL Malware Used by North Korea

FALLCHILL Malware Used by North Korean Government Hackers is a Fully Functional RAT, DHS Says

The United States Department of Homeland Security (DHS) shared details of a hacking tool they say is being used by a threat group linked to the North Korean government known as “Hidden Cobra.”

The threat actor dubbed by the U.S. government “Hidden Cobra” is better known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including the ones targeting Sony PicturesBangladesh’s central bank, and financial organizations in Poland. Links have also been found between the threat actor and the recent WannaCry ransomware attacks, but some experts are skeptical.


A joint alert issued by the DHS and FBI said a remote administration tool (RAT) known as FALLCHILL was used by the North Korean government to hack into companies in the aerospace, telecommunications, and finance sectors. The alert describes FALLCHILL as a “fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies.”

The U.S. Government has been able identify 83 network nodes in the infrastructure used by the FALLCHILL malware. The alert says that, according to a trusted third party, FALLCHILL uses fake SSL headers for communications. "After collecting basic system information, the backdoor will begin communication with the C&C server using a custom encrypted protocol with the header that resembles TLS/SSL packets," it reads."

In a separate alert issued Tuesday, the DHS and FBI shared a list of Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a variant of the Volgmer Trojan used by the North Korean government. The alert describes Volgmer as a backdoor Trojan “designed to provide covert access to a compromised system.” The DHS says at least 94 static IP addresses were identified to be connected to Volgmer's infrastrucutre, along with dynamic IP addresses registered across various countries.

According to DHS, the North Korea-linked hackers have been using Volgmer malware in attacks against the government, financial, automotive, and media industries since at least 2013.

“DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity,” the alert states.

The DHS warned that spear phishing appears to be the primary delivery mechanism for Volgmer infections; but added that the Hidden Cobra threat actors also use a suite of custom tools, some of which could also be used to initially compromise a system. 

The alert with technical details and IOCs on FALLCHILL are available here. The alert and technical details for the the Volgmer Trojan are available here.

In June, US-CERT released a technical alert to warn organizations of distributed denial-of-service (DDoS) attacks conducted by Hidden Cobra.

Related: U.S. Warns of North Korea's 'Hidden Cobra' Attacks

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.