FALLCHILL is a RAT that has been used by Lazarus Group since 2016. The malware decrypts multiple strings at runtime using the XOR algorithm and the RC4 hard-coded key “0D 06 09 2A 86 48 86 F7 0D 0101 01 05 00 03 82”. It implements a custom algorithm that is used to decode multiple DLL names and export functions, which will be imported at runtime. The process collects the following data from the machine and generates a victim ID: OS version information, MAC address, host name, host IP address. The following IP addresses represent the C2 servers, which will instruct the malware on what command to perform: 175.100.189.174 and 125.212.132.222. The diagram presented below presents all the
functionalities implemented by this RAT.
Download A Detailed Analysis of Lazarus’ RAT Called FALLCHILL white paper.
