FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]

ID: S0181
Platforms: Windows
Version: 1.2
Created: 16 January 2018
Last Modified: 23 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

FALLCHILL has been installed as a Windows service.[2]

Enterprise T1001 .003 Data Obfuscation: Protocol Impersonation

FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

FALLCHILL encrypts C2 data with RC4 encryption.[1][2]

Enterprise T1083 File and Directory Discovery

FALLCHILL can search files on a victim.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

FALLCHILL can delete malware and associated artifacts from the victim.[1]

.006 Indicator Removal: Timestomp

FALLCHILL can modify file or directory timestamps.[1]

Enterprise T1082 System Information Discovery

FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.[1]

Enterprise T1016 System Network Configuration Discovery

FALLCHILL collects MAC address and local IP address information from the victim.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group