The FBI and DHS jointly issued two alerts about Hidden Cobra, the malicious cyber activity of North Korean government hackers, and the attackers' RAT FALLCHILL and backdoor Trojan Volgmer. Credit: (stephan) The FBI and DHS jointly issued two new alerts about cyber attacks by the North Korean government. This time, the alerts give details about the North Korean remote administration tool (RAT), dubbed FALLCHILL, as well as the North Korean backdoor Trojan Volgmer.The two newest warnings follow the one issued by DHS and FBI in June; it detailed DeltaCharlie, North Korea’s DDoS botnet infrastructure, as well as other malware that is part of North Korean government attackers’ arsenal. North Korean government’s FALLCHILL RATThe technical alert about FALLCHILL, posted on US-CERT, claims North Korean government attackers have been using the malware since 2016 to target aerospace, telecommunications and finance industries.FALLCHILL is a fully functional RAT and the primary component of a command and control (C2) infrastructure that uses multiple proxies to obscure network traffic between Hidden Cobra and a victim’s systems. Hidden Cobra is the code name the U.S. government uses for the malicious cyber activity of North Korean government hackers. FALLCHILL first collects basic system information and keeps the communication hidden by sending it to the C2 using fake Transport Layer Security (TLS). The basic information collected includes information such as the OS version, processor, system name, MAC and local IP addresses.Built-in functions of FALLCHILL allow the North Korean government hackers to gather information about all installed disks; to search, read, write, move, and execute files; to modify file or directory timestamps; to change the directory for a file or process; to create, start, and terminate a process and its primary thread; and to keep the infection hidden by deleting malware and artifacts from an infected system. Victims’ machines become infected by visiting a tainted site, by unintentionally downloading it, or by secondary payload when it is delivered via a different malware already infecting the machine. If infected, there can be “severe impacts,” such as disruption of operations, loss of proprietary or sensitive data, financial losses to restore systems, and a hit to an organization’s reputation.The U.S. government identified 83 network nodes, as well as the countries in which the infected IP addresses are registered. The technical analysis includes details pertaining to detection and response, network signatures, host-based and YARA rules, as well as mitigation strategies.North Korean government’s backdoor Trojan, VolgmerUS-CERT also said the FBI and DHS jointly issued analytic details about Volgmer, a backdoor Trojan used by Hidden Cobra actors. It been observed in the wild targeting government, financial, media, and automotive industries since 2013. Victims’ boxes usually become infected via spear phishing, but North Korean government hackers can also use custom tools to compromise a system.As a backdoor, Volgmer can gather system information and listing directories, update service registry keys, upload and download files, execute commands, and terminate processes. One sample had botnet controller functionality.According to the alert, Volgmer payloads can be 32-bit executables or dynamic-link library (dll) files. The malware tends to use TCP port 8080 or 8088 to communicate with the C2 server, but some payloads use SSL to obfuscate communications.Persistence can be maintained by installing malware as a service. Volgmer randomly selects a service in which to copy itself, then overwrites that ServiceDLL in the registry entry. Sometimes, Hidden Cobra actors name the service created with various hardcoded words. The U.S. government’s analysis of Volgmer’s infrastructure identified it using 94 static IPs, as well as dynamic IPs registered in India, Iran, Pakistan, Saudi Arabia, Taiwan, Thailand, Sri Lanka, China, Vietnam, Indonesia, and Russia.Like the FALLCHILL alert, the federal government included details about detection and response, network signatures, host-based and YARA rules, mitigation strategies, and released indicators of compromise (IOC) and a Malware Analysis Report (MAR).More on North Korea’s cyber involvement:North Korea’s cyber fingers are in many potsBanking hackers left a clue that may link them to North KoreaDrop a pre-emptive cyber bomb on North Korea?North Korea suspected of hacking South Korean defense contractor Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe