FBI, DHS issue new alerts about North Korean hackers

The FBI and DHS jointly issued two alerts about Hidden Cobra, the malicious cyber activity of North Korean government hackers, and the attackers' RAT FALLCHILL and backdoor Trojan Volgmer.

The FBI and DHS jointly issued two new alerts about cyber attacks by the North Korean government. This time, the alerts give details about the North Korean remote administration tool (RAT), dubbed FALLCHILL, as well as the North Korean backdoor Trojan Volgmer.

The two newest warnings follow the one issued by DHS and FBI in June; it detailed DeltaCharlie, North Korea’s DDoS botnet infrastructure, as well as other malware that is part of North Korean government attackers’ arsenal.   

North Korean government’s FALLCHILL RAT

The technical alert about FALLCHILL, posted on US-CERT, claims North Korean government attackers have been using the malware since 2016 to target aerospace, telecommunications and finance industries.

FALLCHILL is a fully functional RAT and the primary component of a command and control (C2) infrastructure that uses multiple proxies to obscure network traffic between Hidden Cobra and a victim’s systems. Hidden Cobra is the code name the U.S. government uses for the malicious cyber activity of North Korean government hackers.

FALLCHILL first collects basic system information and keeps the communication hidden by sending it to the C2 using fake Transport Layer Security (TLS). The basic information collected includes information such as the OS version, processor, system name, MAC and local IP addresses.

Built-in functions of FALLCHILL allow the North Korean government hackers to gather information about all installed disks; to search, read, write, move, and execute files; to modify file or directory timestamps; to change the directory for a file or process; to create, start, and terminate a process and its primary thread; and to keep the infection hidden by deleting malware and artifacts from an infected system.

Victims’ machines become infected by visiting a tainted site, by unintentionally downloading it, or by secondary payload when it is delivered via a different malware already infecting the machine. If infected, there can be “severe impacts,” such as disruption of operations, loss of proprietary or sensitive data, financial losses to restore systems, and a hit to an organization’s reputation.

The U.S. government identified 83 network nodes, as well as the countries in which the infected IP addresses are registered. The technical analysis includes details pertaining to detection and response, network signatures, host-based and YARA rules, as well as mitigation strategies.

North Korean government’s backdoor Trojan, Volgmer

US-CERT also said the FBI and DHS jointly issued analytic details about Volgmer, a backdoor Trojan used by Hidden Cobra actors. It been observed in the wild targeting government, financial, media, and automotive industries since 2013. Victims’ boxes usually become infected via spear phishing, but North Korean government hackers can also use custom tools to compromise a system.

As a backdoor, Volgmer can gather system information and listing directories, update service registry keys, upload and download files, execute commands, and terminate processes. One sample had botnet controller functionality.

According to the alert, Volgmer payloads can be 32-bit executables or dynamic-link library (dll) files. The malware tends to use TCP port 8080 or 8088 to communicate with the C2 server, but some payloads use SSL to obfuscate communications.

Persistence can be maintained by installing malware as a service. Volgmer randomly selects a service in which to copy itself, then overwrites that ServiceDLL in the registry entry. Sometimes, Hidden Cobra actors name the service created with various hardcoded words.

The U.S. government’s analysis of Volgmer’s infrastructure identified it using 94 static IPs, as well as dynamic IPs registered in India, Iran, Pakistan, Saudi Arabia, Taiwan, Thailand, Sri Lanka, China, Vietnam, Indonesia, and Russia.

Like the FALLCHILL alert, the federal government included details about detection and response, network signatures, host-based and YARA rules, mitigation strategies, and released indicators of compromise (IOC) and a Malware Analysis Report (MAR).

More on North Korea's cyber involvement:

SUBSCRIBE! Get the best of CSO delivered to your email inbox.