FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. ^[1]

ID: S0181

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 16 January 2018

Last Modified: 23 April 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	FALLCHILL has been installed as a Windows service.^[2]
Enterprise	T1001	.003	Data Obfuscation: Protocol Impersonation	FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	FALLCHILL encrypts C2 data with RC4 encryption.^[1]^[2]
Enterprise	T1083		File and Directory Discovery	FALLCHILL can search files on a victim.^[1]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	FALLCHILL can delete malware and associated artifacts from the victim.^[1]
		.006	Indicator Removal on Host: Timestomp	FALLCHILL can modify file or directory timestamps.^[1]
Enterprise	T1082		System Information Discovery	FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.^[1]
Enterprise	T1016		System Network Configuration Discovery	FALLCHILL collects MAC address and local IP address information from the victim.^[1]

Groups That Use This Software

ID	Name	References
G0032	Lazarus Group	^[1]

References

US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.

Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.

FALLCHILL

Enterprise Layer

Techniques Used

Groups That Use This Software

References