Crouching cyber Hidden Cobra: US warns Nork hackers are at it again with new software nasty

Fallchill file-stealing malware raids American networks

The FBI and US Homeland Security have issued an alert about a new strain of malware infecting American corporate systems and stealing sensitive data.

The remote access trojan (RAT), dubbed Fallchill, is the work of a North Korean hacking group called Hidden Cobra, which some at US-CERT believe was responsible for the WannaCry ransomware outbreak. Businesses are urged to remove Fallchill as "the highest priority." The Feds have published a list of IP addresses of public-facing machines infected by the software nasty, and sets of network intrusion detection rules, so IT admins can quickly find out if they've been hit.

Fallchill essentially opens a backdoor into infiltrated corporations, allowing its masterminds – likely to be Kim Jong-un's North Korean government – to extract highly confidential blueprints and other documents.

"According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries," the Feds' warning states. "The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies."

Fallchill gets onto Microsoft Windows computers via malware already in place on the machines, or getting onto poorly patched browsers via drive-by downloads. Once on a system, the code opens faked TLS connections for communications with the outside world, ciphering the data with RC4 encryption using the following key: 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82.

It then communicates to its command and control center via a couple of proxies for obfuscation and reports on the type of computer infected, its IP and MAC addresses, system name and processor type. It can then steal data, start up processes, fiddle with time stamps, and upgrade itself with new capabilities.

To lock down systems, the advisory recommends whitelisting applications and only letting admin-level staff install new software. Keeping up to date with patching and virus definition updates is also key, especially since Fallchill's fingerprints have been defined and sent out to antimalware toolmakers.

For a country with low PC penetration and a pitiful internet architecture, North Korea punches above its weight when it comes to hacking, if attribution claims turn out to be correct. Students who show an aptitude in computer security are reportedly put into a special school classes to hone their skills further and advance the ends of the cruel hermit regime.

With this latest outbreak, the FBI and DHS are asking IT admins who spot an infection to get in touch immediately and to take full forensic data to help in further investigations.

Finally, the Feds have emitted an advisory on another Hidden Cobra effort: Volger, which opens a remote-control backdoor on infected Windows PCs. It targets people working in government, and financial, automotive, and media industries, using spear-phishing, and concentrates on infiltrating networks in India, Iran, Saudi Arabia, Taiwan, and so on. Like for Fallchill, Uncle Sam has published guides on detecting the malware. ®

Biting the hand that feeds IT © 1998–2020