FBI, DHS Link Fallchill Malware to North Korea

Postado Novembro 15, 2017

Both alerts pertain to threats from North Korean cyber actors: The remote administration tool (RAT) known as Fallchill and the trojan malware Volgmer.

U.S. officials earlier this year blamed the group for a series of cyberattacks dating back to 2009, saying it was linked to the Pyongyang government.

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) on Tuesday, November 14, 2017 issued two joint technical alerts.

FALLCHILL allows Hidden Cobra to issue commands to a victim's server by dual proxies, which means it can potentially perform actions like retrieving information about all installed disks, accessing files, modifying file or directory timestamps and deleting evidence that it's been on the infected server.

It said FBI investigators suspect the Fallchill tool has been used since 2016 and Volgmer since 2013.

USA officials told AFP a hacker group called "Hidden Cobra" also known as "Lazarus" has the ability to "maintain a presence on victims' networks" with the aim to "further network exploitation".

Private security analysts refer to Hidden Cobra as the "Lazarus" group of hackers linked to North Korea and likely behind a series of multimillion-dollar cyber thefts from banks around the world.

"Some intrusions have resulted in the exfiltration of data while others have been disruptive in nature". US-CERT, which is part of the DHS National Cybersecurity Communications Integration Center (NCCIC), released in August 2017 an analysis of a piece of malware known as DeltaCharlie, which North Korea uses in launching distributed denial of service (DDoS) attacks on companies or other domains.