FALLCHILL is a RAT that has been used by Lazarus Group since 2016. The malware decrypts multiple strings at runtime using the XOR algorithm and the RC4 hard-coded key “0D 06 09 2A 86 48 86 F7 0D 0101 01 05 00 03 82”. It implements a custom algorithm that is used to decode multiple DLL names and export functions, which will be imported at runtime. The process collects the following data from the machine and generates a victim ID: OS version information, MAC address, host name, host IP address. The following IP addresses represent the C2 servers, which will instruct the malware on what command to perform: 188.8.131.52 and 184.108.40.206. The diagram presented below presents all the
functionalities implemented by this RAT.
Download A Detailed Analysis of Lazarus’ RAT Called FALLCHILL white paper.