On Tuesday, the Department of Homeland Security and the FBI issued a warning that North Korean hackers are actively infecting U.S. corporations with malware designed to gain control of their machines and steal sensitive information. The malware has been identified as “FallChill,” a Remote Access Trojan (RAT) that installs a backdoor to control and siphon data from infected computers. The malware has been tied to the North Korean hacking group “Hidden Cobra,” which some experts believe was also responsible for the WannaCry Ransomware outbreak in May.
Businesses are urged to make prevention, detection, and removal of this threat their highest priority.
How FallChill works:
FallChill is typically either dropped onto victims systems by other Hidden Cobra malware or unknowingly downloaded by victims when they visit websites that have been compromised by this hacking group.
Once on a machine, it collects basic system information and establishes communication with a command and control server on the Internet. From there, FallChill appears to be working in combination with a variant of Destover malware to provide attackers with the following capabilities on infected machines:
-
Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
-
Create, start, and terminate processes remotely (run rogue programs)
-
Search, read, write, move, and execute files
-
Get and modify file or directory timestamps
-
Steal data
-
Change the current directory for a process or file
