FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | |
Enterprise | T1001 | .003 | Data Obfuscation: Protocol or Service Impersonation |
FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.[1] |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
FALLCHILL can delete malware and associated artifacts from the victim.[1] |
.006 | Indicator Removal: Timestomp | |||
Enterprise | T1082 | System Information Discovery |
FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.[1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
FALLCHILL collects MAC address and local IP address information from the victim.[1] |
ID | Name | References |
---|---|---|
G0032 | Lazarus Group |