Malware Takes Aim at Financial Services, Aerospace and Telecommunications Industries
Since last year, North Korean hackers have been targeting businesses in the financial services, aerospace and telecommunications sectors by exploiting a remote administration tool, or RAT, according to an alert issued Tuesday by the the United States Computer Emergency Response Team, part of the Department of Homeland Security.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
According to the alert, the FBI and DHS identified internet protocol addresses and other indictors of compromise associated with the RAT, commonly known as FALLCHILL, used by the North Korean government. Federal authorities have labeled North Korean government malicious cyber activities as Hidden Cobra.
“The FBI has high confidence that Hidden Cobra actors are using the IP addresses to maintain a presence on victims’ networks and to further network exploitation,” the alert says.
Lazarus Group Ties
While Hidden Cobra is not a widely known moniker, the group is believed to be the same as the Lazarus Group, which is suspected of being responsible for some of the more notorious cyberattacks in recent years. That includes attacks targeting the SWIFT financial messaging system and Sony Pictures as well as the WannaCry ransomware campaign.
“Lazarus is not just another APT [advanced persistent threat] actor,” a Kaspersky Lab report concludes. “The scale of Lazarus operations is shocking. It has been on a growth spike since 2011.”
To help companies defend against FALLCHILL, the government is distributing the IP addresses to help toughen network defenses and reduce exposure to any North Korean government malicious cyber activity.
Muddling Network Traffic
FALLCHILL typically infects a system as a file dropped by other Hidden Cobra malware or as a file downloaded unknowingly by users when visiting sites compromised by Hidden Cobra actors, according to the alert.
The malware is the primary component of a command-and-control infrastructure that uses multiple proxies to obfuscate network traffic between Hidden Cobra actors and a victim’s system. The alert, citing trusted third-party reporting, notes that communication flows from the victim’s system to Hidden Cobra actors using a series of proxies as shown in the figure below.
FALLCHILL uses fake transport layer security communications, encoding the data with RC4 encryption using a specific key. The malware collects basic systems information and transmits that data to command-and-control servers.
The alert provides network signatures and host-based rules that can be used to detect malicious activity associated with North Korean hackers. “Although created using a comprehensive vetting process, the possibility of false positives always remains,” the alert cautions. “These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to Hidden Cobra actors.”