SafeBreach Labs has updated the Hacker's Playbook™ with simulations for new attacks described in US-CERT Alert TA17-318A and US-CERT Alert TA17-318B, both attributed to North Korean Hidden Cobra actors.

This attack uses a trojan called Volgmer for initial infection, which then downloads a Remote Access Tool (RAT) called FALLCHILL for subsequent data harvesting and command and control. Additionally, these tools can also be used separately.

SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they are protecting against this campaign. As always, SafeBreach Labs will continue to monitor the situation, and develop new simulations as necessary.

To assess security control effectiveness against techniques involved in this attack, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Playbook #1412 - Transfer of FALLCHILL

  • Network Controls - Are security controls in place to prevent the download and transfer of the infection malware used in this attack?

Playbook #1414 - Transfer of Volgmer

  • Network Controls - Are security controls in place to prevent the download and transfer of the RAT used in this attack?

Playbook #1413 - Local installation of FALLCHILL

  • Endpoint Controls - Are security controls in place to prevent the local deployment of the infection malware used in this attack?

Playbook #1415 - Local installation of Volgmer

  • Endpoint Controls - Are security controls in place to prevent the local deployment of the RAT used in this attack?

Additional breach methods added recently include:

The Safebreach Hacker's Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.


Subscribe to blog post