This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Hackers use Golang source code interpreter to evade detection
January 24, 2023
A Chinese-speaking hacking group tracked as ‘DragonSpark’ was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia. The attacks are tracked by SentinelLabs, whose researchers report that DragonSpark relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral ...
- Apple fixes actively exploited iOS zero-day on older iPhones, iPads
January 23, 2023
Apple has backported security patches addressing a remotely exploitable zero-day vulnerability to older iPhones and iPads. This bug is tracked as CVE-2022-42856, and it stems from a type confusion weakness in Apple’s Webkit web browser browsing engine. Read more… Source: Bleeping Computer
- FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony’s Horizon Bridge Currency Theft
January 23, 2023
The FBI continues to combat malicious cyber activity, including the threat posed by the Democratic People’s Republic of Korea (DPRK) to the U.S. and our private sector partners. Through our investigation, we were able to confirm that the Lazarus Group (also known as APT38), cyber actors associated with the DPRK, are responsible for the theft ...
- CISA Adds One Known Exploited Vulnerability to Catalog
January 23, 2023
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the ...
- Russia’s largest ISP says 2022 broke all DDoS attack records
January 23, 2023
Russia’s largest internet service provider Rostelecom says 2022 was a record year for Distributed denial of service attacks (DDoS) targeting organizations in the country. DDoS attacks are cyberattacks aimed at making an internet-connected website or service unavailable by overwhelming it with many requests that deplete the server’s ability to accept new connections, causing the service to ...
- Hacker finds copy of TSA no-fly list on exposed cloud storage
January 22, 2023
A copy of the U.S. Transportation Security Administration’s “no-fly list” has been found by a Swiss hacker exposed on the open internet in yet another case of misconfigured cloud storage. First reported by The Daily Dot, the exposure of the database was found by a Swiss hacker known as “maia arson crimew” on a server run ...