This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- DodgeBox Loader Loading MoonWalk Backdoor
July 11, 2024
Threat researchers recently discovered a new loader dubbed DodgeBox. This loader shares significant traits with StealthVector, which is associated with the Chinese APT group APT41 / Earth Baku. DodgeBox functions as a loader for a new backdoor named MoonWalk, which utilizes evasion techniques such as call stack spoofing, DLL sideloading, DLL hollowing and environmental guardrails similar ...
- Gay furry hackers strike massive cyber attack against US far-right Project 2025
July 10, 2024
A collective of self-described “Gay furry hackers” called SiegedSec managed to hack into the right-wing Heritage Foundation affiliated with Project 2025 in a massive cyber attack. The hackers released two gigabytes of data, including Heritage Foundation member names, email addresses, passwords, and usernames. SiegedSec claimed responsibility for the hack on Telegram, sharing that they breached online ...
- Alleged breached data of Airport and Aviation Services Sri Lanka surfaces online
July 10, 2024
A recent post on the notorious cybercrime forum BreachForums claims that the Airport and Aviation Services Sri Lanka (AASL) has suffered a data breach. According to the post, the breached data contains approximately 7,083 records that include names, NICs, emails, passport numbers, and other sensitive data. Blurred screenshot of post alleging Airport and Aviation Services Sri ...
- Reeling in DarkGate Malware Attacks from the Beach
July 10, 2024
Last year, the number of malware attacks worldwide reached 6.08 billion. That’s a 10% increase compared with 2022. Why are cybercriminals developing so much malware? Because it is a vital tool to help them infiltrate businesses, networks or specific computers to steal or destroy sensitive data. or destroy sensitive data. There are many types of malware ...
- Resurrecting Internet Explorer: Threat Actors Using Zero-Day Tricks In Internet Shortcut File To Lure Victims (CVE-2024-38112)
July 9, 2024
Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE ...
- July Patch Tuesday Unleashes a Torrent of Updates
July 9, 2024
With the information security industry’s two largest conferences (Black Hat Briefings and Def Con) set to happen in less than a month, Microsoft pulled out all the stops and, for July, nearly tripled the number of patches they released in June for problems discovered in Windows, Office, and software that runs under various server and ...