U.S. authorities issued a report Tuesday identifying a remote administration trojan (RAT) they say is used by the North Korea-based hackers to attack the aerospace, telecommunications and finance industries.
The tool, called FALLCHILL, is used by a group that the Department of Homeland Security refers to as Hidden Cobra. That group is more popularly known as Lazarus Group, North Korea’s most active hacking group.
The group has been widely accused of attempting multibillion-dollar bank thefts in 18 countries and aggression against “media, aerospace, financial, and critical infrastructure sectors in the United States and globally.”
Hidden Cobra has used FALLCHILL since 2016 “to target the aerospace, telecommunications, and finance industries,” U.S. officials say, citing “trusted third-party reporting.”
Lazarus Group is the result of a years-long national effort to develop and deploy hacking capabilities by North Korea.
“They have switched across different domains,” Jon R. Lindsay, a professor at the Global Affairs at the University of Toronto, told CyberScoop earlier this year. “In the last 10 years, it’s switched to cyber. North Korea keeps trying to find ways to come in under threshold deterrence, response, retaliation. The means it uses to do that have continually varied as the U.S. and South Koreans have come up with more effective deterrent regimes to lock that out.”
“North Korea is not famous for its considerable levels of access to the international community nor its internet infrastructure,” said Jon Condra, director of East Asian research and analysis at the threat intelligence firm Flashpoint. “That said, they’ve invested significantly in developing asymmetric cyber capabilities as a means of countering a symmetric military advantage on behalf of the United States and its allies in the region.”
FALLCHILL typically infected targets through other North Korean malware. The tool, which gives hackers complete control over an infected machine, is used to maintain persistence. DHS and FBI researchers identified 83 network nodes used by FALLCHILL malware infrastructure through which command and control was issued.
This RAT is likely one weapon among many in Lazarus Group’s arsenal. Earlier this year, DHS officials said Hidden Cobra also uses “DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.”