Skip to content

S0181 FALLCHILL

FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. 1

Item Value
ID S0181
Associated Names
Type MALWARE
Version 1.2
Created 16 January 2018
Last Modified 23 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service FALLCHILL has been installed as a Windows service.2
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography FALLCHILL encrypts C2 data with RC4 encryption.12
enterprise T1083 File and Directory Discovery FALLCHILL can search files on a victim.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion FALLCHILL can delete malware and associated artifacts from the victim.1
enterprise T1070.006 Timestomp FALLCHILL can modify file or directory timestamps.1
enterprise T1082 System Information Discovery FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.1
enterprise T1016 System Network Configuration Discovery FALLCHILL collects MAC address and local IP address information from the victim.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1

References

  1. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017. 

  2. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.