FALLCHILL

FALLCHILL is a malicious software (malware) typically introduced into a system as a file dropped by other HIDDEN COBRA malware. It has been linked to the North Korea-associated Lazarus APT group, who notably utilized a MacOS variant of the malware for the first time. The cybersecurity company that reported on FALLCHILL described its payload as an encrypted and obfuscated binary which, once decrypted, installs FALLCHILL onto the target machine as a service. This process often leads to the victim's system being infected with a Remote Administration Tool (RAT), allowing the attacker control over the compromised system. The FALLCHILL malware stands out due to its sophisticated use of encryption and obfuscation techniques. All samples of the malware were found to use 16-byte hardcoded RC4 keys for data transmission, a feature also observed in the AppleJeus samples. The malware employs an RC4 encryption algorithm with a 16-byte key to secure its communications, thereby making detection and analysis more challenging for cybersecurity professionals. Furthermore, FALLCHILL was identified as the final payload for Celas Trade Pro, highlighting its role in advanced persistent threat (APT) campaigns. As a fully functional RAT, FALLCHILL provides adversaries with extensive control over infected systems via command and control (C2) servers. It comes with a multitude of built-in functions for remote operations, enabling a variety of actions on a victim's system. These capabilities include retrieving information about all installed disks, creating, starting, and terminating processes, manipulating files and directories, and even deleting malware and associated artifacts from the infected system. The U.S. Government has attributed FALLCHILL to HIDDEN COBRA, underscoring the serious threat this malware poses to global cybersecurity.