This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism
October 17, 2024
Unit 42 researchers have found that certain third-party utilities and applications pertaining to archiving, virtualization and Apple’s native command-line tools do not enforce the quarantine attribute. This can pose a threat to the integrity of a security feature on macOS known as Gatekeeper, which is responsible for ensuring that only trusted software runs on the system. ...
- Cyber Security Association of China calls for cybersecurity review of Intel products sold in China
October 16, 2024
The Cyber Security Association of China on Wednesday called for the launch of a systematic review of potential cybersecurity risks in Intel products due to frequent vulnerabilities and high failure rates, in order to effectively safeguard China’s national security and the legitimate rights and interests of Chinese consumers. The association cited four reasons for the review: ...
- Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data
October 16, 2024
From infostealer development to data exfiltration, cloud service providers are increasingly being abused by threat actors for malicious schemes. While in this case the ransomware samples we examined contained hard coded AWS credentials, this is specific to this single threat actor and in general, ransomware developers leverage other online services as part of their tactics. In ...
- Tor Browser and Firefox users should update to fix actively exploited vulnerability
October 16, 2024
Mozilla has announced a security fix for its Firefox browser which also impacts the closely related Tor Browser. The new version fixes one critical security vulnerability which is reportedly under active exploitation. To address the flaw, both Mozilla and Tor recommend that users update their browsers to the most current versions available. Firefox users that have ...
- How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends
October 15, 2024
Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild. Consistent with past analyses, the majority (97) of these vulnerabilities were exploited as zero-days (vulnerabilities exploited before patches are made available, excluding end-of-life technologies). Forty-one vulnerabilities were exploited as n-days (vulnerabilities first exploited after patches are available). While ...
- Westpac and St George customers report third day of difficulties accessing internet banking
October 15, 2024
Westpac and subsidiaries including St George, Bank of Melbourne and BankSA have been hit by a string of outages. The bank said services were restored on Wednesday afternoon, but some customers continued to report disruptions. Treasurer Jim Chalmers says the government has been in contact with Westpac and described the internet and mobile banking issues as ...