FBI: North Korea Uses Malware to Attack Air and Telecom Sectors

The US FBI and the Department of National Security have issued warnings about malware they attribute to North Korea. With the tools, the country would target, for example, aviation, the telecom sector and financial institutions.

In the first warning, which addresses the so-called Fallchill rat, the organizations write that they have identified certain IP addresses used by North Korea to carry out attacks, in addition to 83 network nodes. The country, referred to as a “hidden cobra” in the warning, has been using the Fallchill malware since 2016 to attack the aforementioned sectors. The malware is left on a system by a so-called dropper and uses various proxies to disguise traffic between infected systems and c2 servers.

The tool uses fake tls traffic encrypted with rc4 to reveal information about an infected system. This includes, for example, information about the operating system, processor, system name and IP and MAC addresses. In addition, Fallchill can create processes and execute files, among other things. By releasing the information about the tools, the organizations want to ensure that others can arm themselves against the malware.

Fallchill operation according to the warning

A second tool is called Volgmer and serves as a backdoor, according to an additional warning. This would be in use since 2013 and target governments, media companies, financial institutions and the automotive industry. It is spread through targeted phishing attacks, or spear phishing. The malware is most commonly found behind IP addresses in India, Iran and Pakistan.

This tool can upload and download files, modify registry keys and execute commands, among other things. Volgmer uses a custom binary protocol for communication with the c2 server and comes in the form of an executable or a dll. For this, too, the FBI and Homeland Security share so-called IOCs, or indicators of compromise.