Crouching cyber Hidden Cobra: US warns Nork hackers are at it again with new software nasty

Fallchill file-stealing malware raids American networks


The FBI and US Homeland Security have issued an alert about a new strain of malware infecting American corporate systems and stealing sensitive data.

The remote access trojan (RAT), dubbed Fallchill, is the work of a North Korean hacking group called Hidden Cobra, which some at US-CERT believe was responsible for the WannaCry ransomware outbreak. Businesses are urged to remove Fallchill as "the highest priority." The Feds have published a list of IP addresses of public-facing machines infected by the software nasty, and sets of network intrusion detection rules, so IT admins can quickly find out if they've been hit.

Fallchill essentially opens a backdoor into infiltrated corporations, allowing its masterminds – likely to be Kim Jong-un's North Korean government – to extract highly confidential blueprints and other documents.

"According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries," the Feds' warning states. "The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies."

Fallchill gets onto Microsoft Windows computers via malware already in place on the machines, or getting onto poorly patched browsers via drive-by downloads. Once on a system, the code opens faked TLS connections for communications with the outside world, ciphering the data with RC4 encryption using the following key: 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82.

It then communicates to its command and control center via a couple of proxies for obfuscation and reports on the type of computer infected, its IP and MAC addresses, system name and processor type. It can then steal data, start up processes, fiddle with time stamps, and upgrade itself with new capabilities.

To lock down systems, the advisory recommends whitelisting applications and only letting admin-level staff install new software. Keeping up to date with patching and virus definition updates is also key, especially since Fallchill's fingerprints have been defined and sent out to antimalware toolmakers.

For a country with low PC penetration and a pitiful internet architecture, North Korea punches above its weight when it comes to hacking, if attribution claims turn out to be correct. Students who show an aptitude in computer security are reportedly put into a special school classes to hone their skills further and advance the ends of the cruel hermit regime.

With this latest outbreak, the FBI and DHS are asking IT admins who spot an infection to get in touch immediately and to take full forensic data to help in further investigations.

Finally, the Feds have emitted an advisory on another Hidden Cobra effort: Volger, which opens a remote-control backdoor on infected Windows PCs. It targets people working in government, and financial, automotive, and media industries, using spear-phishing, and concentrates on infiltrating networks in India, Iran, Saudi Arabia, Taiwan, and so on. Like for Fallchill, Uncle Sam has published guides on detecting the malware. ®

Similar topics


Other stories you might like

  • Think your phone is snooping on you? Hold my beer, says basic physics

    Information wants to be free, and it's making its escape

    Opinion Forget the Singularity. That modern myth where AI learns to improve itself in an exponential feedback loop towards evil godhood ain't gonna happen. Spacetime itself sets hard limits on how fast information can be gathered and processed, no matter how clever you are.

    What we should expect in its place is the robot panopticon, a relatively dumb system with near-divine powers of perception. That's something the same laws of physics that prevent the Godbot practically guarantee. The latest foreshadowing of mankind's fate? The Ethernet cable.

    By itself, last week's story of a researcher picking up and decoding the unintended wireless emissions of an Ethernet cable is mildly interesting. It was the most labby of lab-based demos, with every possible tweak applied to maximise the chances of it working. It's not even as if it's a new discovery. The effect and its security implications have been known since the Second World War, when Bell Labs demonstrated to the US Army that a wired teleprinter encoder called SIGTOT was vulnerable. It could be monitored at a distance and the unencrypted messages extracted by the radio pulses it gave off in operation.

    Continue reading
  • What do you mean you gave the boss THAT version of the report? Oh, ****ing ****balls

    Say what you mean

    NSFW Who, Me? Ever written that angry email and accidentally hit send instead of delete? Take a trip back to the 1990s equivalent with a slightly NSFW Who, Me?

    Our story, from "Matt", flings us back the best part of 30 years to an era when mobile telephones were the preserve of the young, upwardly mobile professionals and fixed lines ruled the roost for more than just your senior relatives.

    Back then, Matt was working for a UK-based fixed-line telephone operator. He was dealing with a telephone exchange which served a relatively large town. "I ran a reasonably ordinary, read-only command to interrogate a specific setting," he told us.

    Continue reading
  • Chinese tech minister says he's 'dealt with' 73,000 websites that breached the law

    Ongoing crackdown saw apps 1.83 million apps tested, 4,200 told to clean up their act, pop-up ads popped

    China's Minister of Industry and Information Technology, Xiao Yaqing, has given a rare interview in which he signalled the nation's crackdown on the internet and predatory companies will continue.

    The interview, reported in state-controlled organ Xinhua, reveals that China's recent crackdowns on inappropriate content and companies with monopolistic tendencies have both bitten – hard.

    The nation investigated 1.83 million apps to ensure they don't infringe users' rights. Some 4,200 illegal apps found to require "rectification".

    Continue reading

Biting the hand that feeds IT © 1998–2021