A Deep Dive Analysis of the FALLCHILL Remote Administration Tool
Contents
FortiGuard Labs Threat Research
Advanced Persistent Threat (APT) groups pose a great threat to global security. Over the years, many threat groups have emerged but none have attracted more attention than North Korean groups due to the ongoing nature of the conflict between North Korea and the west. That, together with the great damage done so far by this threat group (most well-known are the infamous Sony attacks and the related Operation Blockbuster), has prompted significant institutional interest. The U.S. Government in particular refers to the malicious threat actor connected to the North Korean government as HIDDEN COBRA. US-CERT recently published several alerts [1] [2] detailing the actions of this threat actor.
In its most recent report, US-CERT warns about a special component that allows HIDDEN COBRA to remotely control a victim’s computer, called FALLCHILL. FortiGuard Labs has been actively monitoring FALLCHILL, validating all its IOCs (indicators of compromise), and providing protection …
Advanced Persistent Threat (APT) groups pose a great threat to global security. Over the years, many threat groups have emerged but none have attracted more attention than North Korean groups due to the ongoing nature of the conflict between North Korea and the west. That, together with the great damage done so far by this threat group (most well-known are the infamous Sony attacks and the related Operation Blockbuster), has prompted significant institutional interest. The U.S. Government in particular refers to the malicious threat actor connected to the North Korean government as HIDDEN COBRA. US-CERT recently published several alerts [1] [2] detailing the actions of this threat actor.
In its most recent report, US-CERT warns about a special component that allows HIDDEN COBRA to remotely control a victim’s computer, called FALLCHILL. FortiGuard Labs has been actively monitoring FALLCHILL, validating all its IOCs (indicators of compromise), and providing protection …
IoC
0a118eb23399000d148186b9079fa59caf4c3faa7e7a8f91533e467ac9b6ff41
10.10.30.110
125.212.132.222
175.100.189.174
a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6
10.10.30.110
125.212.132.222
175.100.189.174
a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6