The Digital Edge Security Team warns that HIDDEN COBRA actors have been using FALLCHILL malware to target IT infrastructures. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies.
Dual proxies technique allows to change the vector of the attack and keep the real source of the attack hidden.
DHS and FBI specified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.
DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
The Digital Edge Security Team has updated its own core infrastructure to blackhole the routes (Null route) for the IP addresses listed in this report’s IOC files. All the clients collocated or managed in Digital Edge’s cloud are protected against attacks from the IP addresses specified by DHS and FBI.
A black hole route is a technique to forward unwanted or undesirable traffic into a black hole. In Cisco terminology, a special logical interface, called a null interface, is used to create the black hole. Static routes are created for destinations that are not desirable, and the static route configuration points to the null interface. Any traffic that has a destination address that has a best match of the black hole static route automatically is dropped. Unlike with ACLs, all switching processes of the Cisco IOS, including CEF, can handle black hole routes without any performance degradation.
Please follow the links below to download list of IP addresses and signatures:
In addition to that, Digital Edge vCloud clients are protected by FortiGate IPS system. The signatures of HIDDEN COBRA were uploaded in FortiGate IPS system to inspect and block traffic indicating HIDDEN COBRA malware.
More information:
Technical Details
FALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network traffic between HIDDEN COBRA actors and a victim’s system. According to trusted third-party reporting, communication flows from the victim’s system to HIDDEN COBRA actors using a series of proxies.
FALLCHILL uses fake Transport Layer Security (TLS) communications, encoding the data with RC4 encryption with the following key: [0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82]. FALLCHILL collects basic system information and beacons the following to the C2:
- operating system (OS) version information,
- processor information,
- system name,
- local IP address information,
- unique generated ID, and
- media access control (MAC) address.
FALLCHILL contains the following built-in functions for remote operations that provide various capabilities on a victim’s system:
- retrieve information about all installed disks, including the disk type and the amount of free space on the disk;
- create, start, and terminate a new process and its primary thread;
- search, read, write, move, and execute files;
- get and modify file or directory timestamps;
- change the current directory for a process or file; and
- delete malware and artifacts associated with the malware from the infected system.
Impact
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and
- potential harm to an organization’s reputation.
Mitigation Strategies
Digital Edge recommends following best practices as preventive measures to protect their computer networks:
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
- Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.
- Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
- Do not follow unsolicited web links in emails.
