1. Home
  2. Software
  3. FALLCHILL

FALLCHILL

FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]

ID: S0181
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 16 January 2018
Last Modified: 23 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 创建或修改系统进程: Windows Service

FALLCHILL has been installed as a Windows service.[2]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

FALLCHILL encrypts C2 data with RC4 encryption.[1][2]
Enterprise T1001 .003 数据混淆: Protocol or Service Impersonation

FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.[1]
Enterprise T1083 文件和目录发现

FALLCHILL can search files on a victim.[1]
Enterprise T1070 .004 移除指标: File Deletion

FALLCHILL can delete malware and associated artifacts from the victim.[1]
.006 移除指标: Timestomp

FALLCHILL can modify file or directory timestamps.[1]
Enterprise T1082 系统信息发现

FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.[1]
Enterprise T1016 系统网络配置发现

FALLCHILL collects MAC address and local IP address information from the victim.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  1. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.