FALLCHILL is a remote administration trojan (RAT) used by threat actors associated with the North Korean government, known as HIDDEN COBRA or Lazarus Group. The RAT has been used by the threat group since at least 2016 to exploit and maintain a presence on the networks of organizations within the aerospace, telecommunications, and finance industries. The trojan typically infects a system either via a first-stage malware or a drive-by download in which a malicious file is unknowingly downloaded onto the user's system after visiting a compromised site. The actors issue commands from their C2 server via dual proxies for added obfuscation.

FALLCHILL collects the following system data to send to its C2:

  • operating system version information
  • processor information
  • system name
  • local IP address information
  • unique generated ID
  • MAC address

FALLCHILL can perform the following functions:

  • retrieve information about all installed disks
  • create, start, and terminate a new process
  • search, read, write, move, and execute files
  • retrieve and modify file or directory timestamps
  • change the current directory for a process or file
  • delete malware and artifacts associated with the malware from the infected system

A successful network intrusion using FALLCHILL could result in the temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. 

Technical Details

  • The United States Computer Emergency Response Team (US-CERT) released a joint Technical Alert detailing FALLCHILL and its use by HIDDEN COBRA, including technical details, network signatures and host-based rules, and mitigation strategies. The alert is available here.