HIDDEN COBRA / FALLCHILL blocking through ipset and iptables


See US-CERT announcement HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL.

Following is a script that will create an ipset with the IOC IP addresses, then log and block traffic to and from those hosts using iptables. Some of these appear to be otherwise benign hosts that were compromised for malicious activity, so there may be collateral damage, though the list is small. Use at your own risk.

#Block hosts designated as HIDDEN COBRA (North Korean FALLCHILL RAT) participants
#See https://www.us-cert.gov/ncas/alerts/TA17-318A

#Remove existing iptables rules
iptables -D INPUT $(iptables -L INPUT -v -n --line-numbers | grep hidden-cobra | awk '{print $1}')
iptables -D OUTPUT $(iptables -L OUTPUT -v -n --line-numbers | grep hidden-cobra | awk '{print $1}')

#Remove ipset if it exists
ipset -q -F hidden-cobra
ipset -q -X hidden-cobra

#Create ipset
ipset -N hidden-cobra hash:net

#Populate ipset
ipset -A hidden-cobra 104.192.193.149
ipset -A hidden-cobra 111.207.78.204
ipset -A hidden-cobra 117.232.100.154
ipset -A hidden-cobra 119.10.74.66
ipset -A hidden-cobra 122.114.89.131
ipset -A hidden-cobra 122.114.94.26
ipset -A hidden-cobra 125.160.213.239
ipset -A hidden-cobra 125.212.132.222
ipset -A hidden-cobra 139.217.27.203
ipset -A hidden-cobra 173.0.129.65
ipset -A hidden-cobra 173.0.129.83
ipset -A hidden-cobra 175.100.189.174
ipset -A hidden-cobra 181.119.19.118
ipset -A hidden-cobra 181.119.19.141
ipset -A hidden-cobra 181.119.19.196
ipset -A hidden-cobra 181.119.19.5
ipset -A hidden-cobra 181.119.19.50
ipset -A hidden-cobra 181.119.19.54
ipset -A hidden-cobra 181.119.19.56
ipset -A hidden-cobra 181.119.19.58
ipset -A hidden-cobra 181.119.19.74
ipset -A hidden-cobra 190.105.225.232
ipset -A hidden-cobra 190.82.74.66
ipset -A hidden-cobra 190.82.86.164
ipset -A hidden-cobra 191.233.33.177
ipset -A hidden-cobra 191.234.40.112
ipset -A hidden-cobra 195.74.38.115
ipset -A hidden-cobra 196.25.89.30
ipset -A hidden-cobra 197.211.212.14
ipset -A hidden-cobra 199.167.100.46
ipset -A hidden-cobra 200.57.90.108
ipset -A hidden-cobra 203.160.191.116
ipset -A hidden-cobra 208.180.64.10
ipset -A hidden-cobra 208.78.33.70
ipset -A hidden-cobra 208.78.33.82
ipset -A hidden-cobra 209.183.21.222
ipset -A hidden-cobra 210.202.40.35
ipset -A hidden-cobra 216.163.20.178
ipset -A hidden-cobra 221.208.194.72
ipset -A hidden-cobra 221.235.53.229
ipset -A hidden-cobra 27.123.221.66
ipset -A hidden-cobra 36.71.90.4
ipset -A hidden-cobra 41.92.208.194
ipset -A hidden-cobra 41.92.208.196
ipset -A hidden-cobra 41.92.208.197
ipset -A hidden-cobra 5.79.99.169
ipset -A hidden-cobra 50.62.168.157
ipset -A hidden-cobra 59.90.93.138
ipset -A hidden-cobra 62.243.45.227
ipset -A hidden-cobra 64.29.144.201
ipset -A hidden-cobra 66.175.41.191
ipset -A hidden-cobra 66.232.121.65
ipset -A hidden-cobra 66.242.128.11
ipset -A hidden-cobra 66.242.128.12
ipset -A hidden-cobra 66.242.128.13
ipset -A hidden-cobra 66.242.128.134
ipset -A hidden-cobra 66.242.128.140
ipset -A hidden-cobra 66.242.128.158
ipset -A hidden-cobra 66.242.128.162
ipset -A hidden-cobra 66.242.128.163
ipset -A hidden-cobra 66.242.128.164
ipset -A hidden-cobra 66.242.128.170
ipset -A hidden-cobra 66.242.128.173
ipset -A hidden-cobra 66.242.128.179
ipset -A hidden-cobra 66.242.128.181
ipset -A hidden-cobra 66.242.128.185
ipset -A hidden-cobra 66.242.128.186
ipset -A hidden-cobra 66.242.128.223
ipset -A hidden-cobra 71.125.1.130
ipset -A hidden-cobra 71.125.1.132
ipset -A hidden-cobra 71.125.1.133
ipset -A hidden-cobra 71.125.1.138
ipset -A hidden-cobra 72.167.53.183
ipset -A hidden-cobra 75.103.110.134
ipset -A hidden-cobra 77.78.100.101
ipset -A hidden-cobra 81.0.213.173
ipset -A hidden-cobra 81.0.213.173
ipset -A hidden-cobra 82.223.213.115
ipset -A hidden-cobra 82.223.73.81
ipset -A hidden-cobra 91.116.139.195
ipset -A hidden-cobra 96.65.90.58
ipset -A hidden-cobra 98.101.211.140
ipset -A hidden-cobra 98.101.211.162
ipset -A hidden-cobra 98.101.211.170
ipset -A hidden-cobra 98.101.211.251
ipset -A hidden-cobra 98.113.84.130
ipset -A hidden-cobra 98.159.16.132

#Create a chain to log and drop matching packets
iptables -N LOG_DROP_HIDDEN_COBRA
iptables -A LOG_DROP_HIDDEN_COBRA -j LOG --log-prefix "INPUT:DROP:HIDDEN_COBRA: " -m limit --limit 600/min --log-level 6
iptables -A LOG_DROP_HIDDEN_COBRA -j DROP

#Apply rules to INPUT and OUTPUT chains
iptables -I INPUT -m set --match-set hidden-cobra src -j LOG_DROP_HIDDEN_COBRA
iptables -I OUTPUT -m set --match-set hidden-cobra dst -j LOG_DROP_HIDDEN_COBRA
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki