The US Department of Homeland Security (DHS) published the details of the hacking tool FALLCHILL used one of the APT group linked to the North Korean government tracked as Hidden Cobra (aka Lazarus Group).
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.
According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.
In June, the United States Computer Emergency Readiness Team (US-CERT) issued a technical alert about the activity of the North Korea’s ‘Hidden Cobra’ APT group.
Many experts believe the WannaCry ransomware was developed by the Lazarus Group due to similarities in the attack codes. UK Government also linked the WannaCry attack that crippled NHS to North Korea.
The DHS and FBI issued a joint alert that reveals a remote administration tool (RAT) known as FALLCHILL was used by the North Korean hackers to target companies in the aerospace, finance, and telecommunications sectors.
“Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL.” states the report.
“According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. “
The US experts identified 83 network nodes in the FALLCHILL infrastructure, including countries in which the infected IP addresses are registered.
The report includes a list of indicators of compromise (IOCs), Network Signatures associated with the threat and Yara rules for its detection.
The US DHS also published a separate report on another threat, the Volgmer Trojan used by the North Korean government. The Volgmer is a backdoor Trojan “designed to provide covert access to a compromised system,” it has been used since 2013.
“Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.” states the report.
“It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer”
This second report also includes details of the infrastructure associated with the malware and IoCs.
The DHS tracked at least 94 static IP addresses along with dynamic IP addresses registered across various countries, most of them in India (772 IPs – 25.4 percent), Iran (373 IPs – 12.3 percent), and Pakistan (343 IPs – 11.3 percent).
The Volgmer malware was used by Pyongyang in attacks against the government, financial, automotive, and media industries since at least 2013, The threat was delivered via spear-phishing emails.
The DHS warned of the Hidden Cobra availability of a suite of custom tools that the North Korean hackers used to hack into the companies.
(Security Affairs – Hidden Cobra, FALLCHILL)