Hidden Cobra APT Advisory

The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) have identified two tools used by the Advanced Persistent Threat Group, HIDDEN COBRA, better known as Lazarus Group. The first tool, Volgmer [1], is a Trojan capable of allowing the threat actor covert access to compromised systems and is delivered via targeted spear phishing emails. The second tool is a Remote Administration Tool (RAT) labeled FALLCHILL [2]. This RAT is fully functional and able to issue a wide variety of commands from a C2 server to the victim’s device. The successful use of either tool may have sever impacts, including the loss of sensitive data, operational disruption and reputational damage.

What we’re doing about it

• eSentire has taken preventative measures to monitor and disrupt connection for network infrastructure related to Volgmer and FALLCHILL on esNETWORK.
• File hashes linked to both tools are banned from execution on endpoints monitored by esENDPOINT.

What you should be doing about it

• Deploy application whitelisting to ensure that only authorized software can be installed and execute functions.
• Restrict administrative privileges based on the user’s requirements.
• Ensure users are informed about current threats through awareness programs and training.

Additional information

• The Volgmer Trojan has been actively used since 2013 against government, financial, automotive, and media industry targets.
• The first known use of the FALLCHILL RAT occurred in 2016. Since then FALLCHILL has been actively used against the aerospace, telecommunications, and financial industries.
• Compromise by either of these tools may indicate that additional Hidden Cobra Malware is present.

For more information visit:

[1]https://www.us-cert.gov/ncas/alerts/TA17-318A(FALLCHILL)
[2]https://www.us-cert.gov/ncas/alerts/TA17-318B (Volgmer)