This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- HHS: Ransomware groups continue to target U.S. health sector
January 25, 2023
The Royal and Blackcat ransomware groups continue to aggressively target the U.S. health sector, according to a recent advisory from the Department of Health and Human Services. Just this week, the Washington Post described an apparent recent attack by Blackcat on NextGen Healthcare, a company that provides electronic health record and practice management software to ...
- Data breach may have leaked classified law enforcement operations information to criminals
January 24, 2023
A company that provides tech solutions to law enforcement agencies has reportedly suffered a breach that might jeopardize ongoing police operations and undercover personnel. It is unclear if criminals currently under investigation have accessed the information, but the fact that cybercriminals have it and could potentially sell it is disturbing. On January 11, Wired reported that ...
- ACSC Ransomware Profile – Royal
January 24, 2023
The Australian Cyber Security Centre (ACSC) is aware of a ransomware variant called Royal, which is being used by cybercriminals to conduct ransomware attacks against multiple sectors and organisations worldwide, including Australia. Once gaining access to a victim’s environment, cybercriminals use this ransomware for similar purposes to other variants such as encrypting their data and ...
- Vice Society Ransomware Group Targets Manufacturing Companies
January 24, 2023
The Vice Society ransomware group made headlines in late 2022 and early 2023 during a spate of attacks against several targets, such as the one that affected the rapid transit system in San Francisco. Most reports have the threat actor focusing its efforts on the education and the healthcare industries. However, through Trend Micro’s telemetry data, ...
- New wave of attacks use ProxyNotShell/OWASSRF vulnerabilities to target Microsoft Exchange
January 24, 2023
Researchers at S.C. Bitdefender SRL today warned of a new wave of attacks using known vulnerabilities to target Microsoft Exchange. The researchers started to notice an increase in attacks using ProxyNotShell/OWASSRF exploits to target on-premises Microsoft Exchange deployments at the end of November. The Server-Side Request Forgery attacks allow an attacker to send a crafted request ...
- LastPass owner GoTo says hackers stole customers’ backups
January 24, 2023
LastPass’ parent company GoTo – formerly LogMeIn – has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems. The breach was first confirmed by LastPass on November 30. At the time, LastPass chief executive Karim Toubba said an “unauthorized party” had gained access to some customers’ information stored in a third-party ...