SOFTWARE
SOFTWARE
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
FALLCHILL
FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]
ID: S0181
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 16 January 2018
Last Modified: 27 March 2020
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1001 | .003 | Data Obfuscation: Protocol Impersonation |
FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.[1] |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
FALLCHILL can delete malware and associated artifacts from the victim.[1] |
.006 | Indicator Removal on Host: Timestomp | |||
Enterprise | T1082 | System Information Discovery |
FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.[1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
FALLCHILL collects MAC address and local IP address information from the victim.[1] |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0032 | Lazarus Group |
References
×