FALLCHILL HIDDEN COBRA The North Korean Remote Administration Tool
FALLCHILL was produced by the North Korean government (also known as HIDDEN COBRA).
According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries.
The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.
FALLCHILL can also execute processes, modify files and delete artefacts associated with its installation.
Resolution:-
A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. Network, proxy and firewall logs should be monitored for suspicious activity.
To block HIDDEN COBRA FAILCHILL ensure you block the following command and control IP addresses :-
| 125[.]212[.]132[.]222 |
| 175[.]100[.]189[.]174 |
| 81[.]0[.]213[.]173 |
| 98[.]101[.]211[.]162 |
| 181[.]119[.]19[.]118 |
| 181[.]119[.]19[.]141 |
| 181[.]119[.]19[.]196 |
| 181[.]119[.]19[.]5 |
| 181[.]119[.]19[.]50 |
| 181[.]119[.]19[.]54 |
| 181[.]119[.]19[.]56 |
| 181[.]119[.]19[.]58 |
| 181[.]119[.]19[.]74 |
| 190[.]105[.]225[.]232 |
| 41[.]92[.]208[.]194 |
| 41[.]92[.]208[.]196 |
| 41[.]92[.]208[.]197 |
| 209[.]183[.]21[.]222 |
| 190[.]82[.]74[.]66 |
| 190[.]82[.]86[.]164 |
| 111[.]207[.]78[.]204 |
| 119[.]10[.]74[.]66 |
| 122[.]114[.]89[.]131 |
| 122[.]114[.]94[.]26 |
| 139[.]217[.]27[.]203 |
| 221[.]208[.]194[.]72 |
| 221[.]235[.]53[.]229 |
| 77[.]78[.]100[.]101 |
| 81[.]0[.]213[.]173 |
| 62[.]243[.]45[.]227 |
| 117[.]232[.]100[.]154 |
| 59[.]90[.]93[.]138 |
| 125[.]160[.]213[.]239 |
| 27[.]123[.]221[.]66 |
| 36[.]71[.]90[.]4 |
| 191[.]233[.]33[.]177 |
| 200[.]57[.]90[.]108 |
| 5[.]79[.]99[.]169 |
| 203[.]160[.]191[.]116 |
| 196[.]25[.]89[.]30 |
| 82[.]223[.]213[.]115 |
| 82[.]223[.]73[.]81 |
| 91[.]116[.]139[.]195 |
| 195[.]74[.]38[.]115 |
| 210[.]202[.]40[.]35 |
| 104[.]192[.]193[.]149 |
| 173[.]0[.]129[.]65 |
| 173[.]0[.]129[.]83 |
| 191[.]234[.]40[.]112 |
| 199[.]167[.]100[.]46 |
| 208[.]180[.]64[.]10 |
| 208[.]78[.]33[.]70 |
| 208[.]78[.]33[.]82 |
| 216[.]163[.]20[.]178 |
| 50[.]62[.]168[.]157 |
| 64[.]29[.]144[.]201 |
| 66[.]175[.]41[.]191 |
| 66[.]232[.]121[.]65 |
| 66[.]242[.]128[.]11 |
| 66[.]242[.]128[.]12 |
| 66[.]242[.]128[.]13 |
| 66[.]242[.]128[.]134 |
| 66[.]242[.]128[.]140 |
| 66[.]242[.]128[.]158 |
| 66[.]242[.]128[.]162 |
| 66[.]242[.]128[.]163 |
| 66[.]242[.]128[.]164 |
| 66[.]242[.]128[.]170 |
| 66[.]242[.]128[.]173 |
| 66[.]242[.]128[.]179 |
| 66[.]242[.]128[.]181 |
| 66[.]242[.]128[.]185 |
| 66[.]242[.]128[.]186 |
| 66[.]242[.]128[.]223 |
| 71[.]125[.]1[.]130 |
| 71[.]125[.]1[.]132 |
| 71[.]125[.]1[.]133 |
| 71[.]125[.]1[.]138 |
| 72[.]167[.]53[.]183 |
| 75[.]103[.]110[.]134 |
| 96[.]65[.]90[.]58 |
| 98[.]101[.]211[.]140 |
| 98[.]101[.]211[.]170 |
| 98[.]101[.]211[.]251 |
| 98[.]113[.]84[.]130 |
| 98[.]159[.]16[.]132 |
| 197[.]211[.]212[.]14 |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.