FALLCHILL RAT cyber threat

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a joint technical alert on updated threat intelligence on a remote administration tool (RAT) dubbed FALLCHILL used by the North Korean government.

The U.S. Government refers to malicious cyber activity conducted by the North Korean government as HIDDEN COBRA.

The IOCs further include IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures, according to the alert (TA17-318A).

HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target organizations in the aerospace, telecommunications, and finance industries.

The alert provides guidance to organizations for suggested response actions to IOCs, mitigation techniques (such as network signatures and host-based rules to detect malicious activity) and how to report incidents.

More information on HIDDEN COBRA has been provided at https://www.us-cert.gov/hiddencobra. Fortinet also released a deep dive analysis of FALLCHILL in a recent blog post as well.