US-CERT, in coordination with the FBI and Department of Homeland Security, recently released technical details of a remote administration tool (RAT) known as “FALLCHILL,” used allegedly by the hacker group “Hidden Cobra.” According to the alert, this attack tool has been in the wild since early 2016 and has been used as a launching point for major cyberattacks.
Regardless of where the malware originated, FALLCHILL is an example of how attackers continue to exploit enterprise weaknesses and a failure to adhere to cyber security best practices. With respect to FALLCHILL, targets fall victim to compromised websites that trick users into inadvertently downloading, installing and running this RAT onto the target system, or it is downloaded by other malware as the communication mechanism on the target system. Once on board, it then acts as C2 server communicating back to the attackers through a series of proxies.
Once installed, FALLCHILL, like all other RATs acts like the end user and can reside undetected and install other attack tools that further exploit endpoints that enable the attacker to access other systems by compromising and stealing credentials. Once this happens, the attacker moves laterally to other systems leveraging stolen credentials.
In the alert, US-CERT highlights mitigation strategies that every organization should implement immediately – regardless of whether they’re a target of Hidden Cobra or another form of malware. These mitigation strategies include leveraging the principles of least privilege, implementing application control and disabling macros, along with keeping up to date on security patches and AV definitions.
Taking a closer look at the recommendations, application control, combined with the removal of administrative rights from all endpoints has proven to be effective at preventing the installation of malware and other malicious applications. This approach eliminates the ability to steal and exploit privileged credentials to facilitate lateral movement or to download additional of malicious apps like Mimikatz, which is commonly used to steal and harvest credentials from various endpoint credential stores.
Looking beyond the recommendations, credential theft protection can help to guard against attacks from malware like Mimikatz and others to stop the spread of malware by stopping access to credential stores in the Windows Operating system and other credential caches found on endpoints such as browsers and SSH keys. Furthermore, unknown applications can be grey listed to eliminate their ability to communicate back to their attackers, and when used in conjunction with a malware analysis engine such as the newly-released Application Risk Analysis Service from CyberArk, these steps can help streamline decision making around application control policies.
The new CyberArk Application Risk Analysis Service extends capabilities of CyberArk Endpoint Privilege Manager through machine learning and cloud-based analytics to help stop attackers from gaining a foothold on endpoints by detecting potentially malicious applications, which enables timely, well-informed privilege and application control policy decisions. To learn more, visit https://www.cyberark.com/best/.