FALLCHILL: North Korean RAT

FALLCHILL is a remote access trojan (RAT) that uses a pair of malware proxies to communicate with its command and control (C2) server.

Threat ID:: CC-1787
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Hacking tool, Drive by download
Published:: 16 November 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

FALLCHILL is a remote access trojan (RAT) that uses a pair of malware proxies to communicate with its command and control (C2) server.

Threat details

It is suspected that FALLCHILL was produced by the North Korean government (also known as HIDDEN COBRA) and as such its capabilities are focused towards data gathering and exfiltration. Infection occurs either through by a user downloading a file from a compromised website or as a file dropped by another North Korean-affiliated malware. Because of this additional malware may be present on a user's system. Once installed FALLCHILL collects basic information on the OS version, processor, local IP and MAC address, system name and user ID before sending it on to the C2 server. The malware then persists on the system.

FALLCHILL also contains the following built-in functions for remote operation:

create, execute, and terminate processes
search, modify, move, and execute files and directories
retrieve installed disk information
delete artifacts associated with its infection

Remediation advice

To prevent and detect a trojan infection, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from infected machines should be reset on a clean computer

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from infected machines should be reset on a clean computer

Last edited: 17 February 2020 11:30 am