US blames North Korea for Fallchill trojan

Fallchill RAT was created by Hidden Cobra group, claim security agencies

The FBI and US Department of Homeland Security have issued a joint warning related to several IP addresses infected with the Fallchill remote access trojan (RAT) an alleged North Korean cyber weapon.

According to the alert, the Fallchill malware has been targeting the aerospace, telecommunications and finance industries since 2016. Once an infection has taken hold, the threat actors behind it can issue multiple commands from command and control (C2) servers while obfuscating their identities behind a number of proxies.

The agencies claim to have linked Fallchill to a group it calls Hidden Cobra, which is said to be a North Korean state-sponsored operation behind a number of other malware initiatives that has been active since 2009.

Advertisement - Article continues below

"Fallchill typically infects a system as a file dropped by other Hidden Cobra malware or as a file downloaded unknowingly by users when visiting sites compromised by Hidden Cobra actors," the advisory reads.

"Hidden Cobra actors use an external tool or dropper to install the Fallchill malware-as-a-service to establish persistence. Because of this, additional Hidden Cobra malware may be present on systems compromised with Fallchill."

In terms of operation, Fallchill allows the malicious actors to retrieve information about all installed disks; create, start and terminate new processes and their primary thread; read, search, write, move and execute files; access and modify file or directory timestamps; change the directory for a process or file and delete malware and related artifacts from the infected system.

Advertisement - Article continues below

This can lead to disruption of operations and temporary or permanent loss of files.

Further information on the hallmarks of Fallchill and Hidden Cobra activity, as well as how to resolve an infection, can be found here.

North Korea last month denied it was responsible for the WannaCry ransomware attack that attacked businesses and hospitals in the UK back in May, calling the UK government's allegation "wicked".

Main image credit: Bigstock

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

The road to recovery

30 Jun 2020