Details of a hacking tool known as FallChill was disclosed to the public by the Department of Homeland Security which originated from the North Korean hacking group known as Hidden Cobra.
Activities from malicious cyber-actors identified as Hidden Cobra began in 2009. These activities include exploits by threat actors on victims in the public and private sector, theft of data and disruption of website availability.
As reported by the DHS, according to trusted third-party reporting, Hidden Cobra actors have likely been using FallChill malware since 2016 to target the aerospace, telecommunications, and finance industries. The said malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system. FallChill typically infects a system as a file dropped by other Hidden Cobra malware or as a file downloaded unknowingly by users when visiting sites compromised by Hidden Cobra actors. These actors use an external tool or dropper to install the FallChill malware-as-a-service to establish persistence. Because of this, additional Hidden Cobra malware may be present on systems compromised with FallChill.
FallChill can collect basic system information such as OS version information, processor information, system name, local IP address information, unique generated ID, and MAC addresses. Additionally, FallChill can retrieve information about all installed disks, including the disk type and the amount of free space on the disk; create, start, and terminate a new process and its primary thread; search, read, write, move, and execute files; get and modify file or directory timestamps; change the current directory for a process or file; and delete malware and artifacts associated with the malware from the infected system.
Successfully executed network intrusion can cause minor to irreparable damage such as temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation.
There are a few but universally-applicable methods in mitigating malware intrusions. It is highly recommended to use application whitelisting to help prevent malicious software and unapproved programs from running. Keep operating systems and software up-to-date with the latest patches. Maintain up-to-date antivirus software. Avoid enabling macros from email attachments. Block email messages with attachments from suspicious sources. Do not follow unsolicited web links in emails.