HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
Contents
HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
Systems Affected
Network systems
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
This alert includes IOCs related …
Systems Affected
Network systems
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
This alert includes IOCs related …
IoC
rule rc4_stack_key_fallchill
{
meta:
description = "rc4_stack_key"
strings:
$stack_key = { 0d 06 09 2a ?? ?? ?? ?? 86 48 86 f7 ?? ?? ?? ?? 0d 01 01 01 ?? ?? ?? ?? 05 00 03 82 41 8b c9 41 8b d1 49 8b 40 08 48 ff c2 88 4c 02 ff ff c1 81 f9 00 01 00 00 7c eb }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $stack_key
}
rule success_fail_codes_fallchill
{
meta:
description = "success_fail_codes"
strings:
$s0 = { 68 7a 34 12 00 }
$s1 = { ba 7a 34 12 00 }
$f0 = { 68 5c 34 12 00 }
$f1 = { ba 5c 34 12 00 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))
}
{
meta:
description = "rc4_stack_key"
strings:
$stack_key = { 0d 06 09 2a ?? ?? ?? ?? 86 48 86 f7 ?? ?? ?? ?? 0d 01 01 01 ?? ?? ?? ?? 05 00 03 82 41 8b c9 41 8b d1 49 8b 40 08 48 ff c2 88 4c 02 ff ff c1 81 f9 00 01 00 00 7c eb }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $stack_key
}
rule success_fail_codes_fallchill
{
meta:
description = "success_fail_codes"
strings:
$s0 = { 68 7a 34 12 00 }
$s1 = { ba 7a 34 12 00 }
$f0 = { 68 5c 34 12 00 }
$f1 = { ba 5c 34 12 00 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))
}