The US Department of Homeland Security (DHS) and the FBI have issued joint technical alerts detailing cyberattacks launched by North Korean hackers targeting aerospace, telecommunications, financial and critical infrastructure sectors in the US since 2016. The alert issued on Tuesday, 14 November, said the North Korean hacking group Hidden Cobra, also known as the Lazarus Group or Guardians of Peace, has been leveraging malware called Fallchill since 2016 to target the aerospace, telecom and finance industries.
The fully-functional remote access trojan (RAT) allows the threat actors to issue multiple commands to a victim's infected system via dual proxies. The malware typically infects a targeted system as a file dropped by another Hidden Cobra malware or as a file unknowingly downloaded from a compromised site, authorities said.
The Fallchill malware then collects basic information, including OS version information, system name and local IP address information, among other details. It also allows for multiple remote operations, including searching, reading, writing, moving and executing files as well as retrieving information about all installed disks, including disk type and amount of free space on the disk.
The malware also has the ability to remove itself and traces of it from the infected system, making it harder to detect.
The US government's alert also listed IP addresses the FBI said were linked to the hacking campaign.
The DHS and FBI also described another trojan malware variant called Volgmer used by the North Korean government-linked group. The Volgmer malware has been observed in the wild targeting government, automotive, financial and media industries.
Authorities suspect that Hidden Cobra uses spear phishing techniques to deliver the Volgmer. However, the group has been known to use a suite of custom tools that could be used to initially compromise a targeted system.
"As a backdoor trojan, Volgmer has several capabilities, including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes and listing directories," the alert read. "In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.
"The US government has analysed Volgmer's infrastructure and identified it on systems using both dynamic and static IP addresses." At least 94 static IP addresses and dynamic IP addresses associated with Volgmer have been identified so far, registered across various countries. Most of these IP addresses fell in India (25.4%), Iran (12.3%), Pakistan (11.3%) and Saudi Arabia (6%).
The new alerts come amid rising tensions between the US and North Korea over Pyongyang's rapid advancement of its nuclear programme and defiant missile tests.
In June, the DHS and FBI released a warning about Hidden Cobra and its cyberactivities targeting media, financial, aerospace and other key infrastructure sectors in the US and globally since 2009. However, North Korea has continued to deny any involvement in cyberattacks against other countries, including the 2014 Sony hack and the global WannaCry ransomware attacks.