North Korea's Latest RAT: What It Does, How to Detect It

Have you noticed a fall chill in the air?

More importantly, have you detected FALLCHILL malware hiding on your network?

New advisory issued on FALLCHILL

FALLCHILL is North Korea's latest RAT (remote administration tool) that allows the country's cyber actors to secretly mine for your data.

The Department of Homeland Security and the FBI issued a joint Technical Alert with indicator of compromise (IOC) specifics, so you can find out if it is lurking.

RAT functionality of FALLCHILL

FALLCHILL contains the following built-in functions for remote operations that provide various capabilities on a victim’s system:

• retrieve information about all installed disks, including the disk type and the amount of free space on the disk;
• create, start, and terminate a new process and its primary thread;
• search, read, write, move, and execute files;
• get and modify file or directory timestamps;
• change the current directory for a process or file; and
• delete malware and artifacts associated with the malware from the infected system.
• Here is the communication flow-and as a reminder-"HIDDEN COBRA" is the U.S. codeword for North Korean cyber operators:

How FALLCHILL RAT infects your system

"FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL. "

This latest RAT should not surprise anyone, because North Korea is one of the top three cyber threats to the United States, according to Major General Brett Williams.

Williams used to be Director of Operations at U.S. Cyber Command, and we interviewed him at SecureWorld Detroit: