This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- #StopRansomware: Cuba Ransomware
December 1, 2022
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Cuba ransomware IOCs and TTPs associated with Cuba ransomware actors identified through FBI investigations, third-party reporting, and open-source reporting. This advisory updates the December 2021 FBI Flash: Indicators of Compromise Associated with Cuba Ransomware. Note: ...
- New DuckLogs malware service claims having thousands of ‘customers’
December 1, 2022
A new malware-as-a-service (MaaS) operation named ‘DuckLogs’ has emerged, giving low-skilled attackers easy access to multiple modules to steal information, log key strokes, access clipboard data, and remote access to the compromised host. DuckLogs is entirely web-based. It claims to have thousands of cybercriminals paying a subscription to generate and launch more than 4,000 malware builds. The ...
- Lastpass says hackers accessed customer data in new breach
November 30, 2022
LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022. The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service. “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both ...
- New details on commercial spyware vendor Variston
November 30, 2022
Threat Analysis Group (TAG) has been tracking the activities of commercial spyware vendors for years, using our research to improve the safety and security of Google’s products and share intelligence with our industry peers. TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet ...
- All India Institute of Medical Sciences restores e-Hospital data after cyber attack
November 30, 2022
The server at the All India Institute of Medical Sciences (AIIMS) in Delhi has been down for the eighth day in a row, and according to reports, more analysts from Delhi are under consideration for suspension for cybersecurity violations after two of them were already suspended. According to the sources quoted by the report, “The sanitising ...
- Crafty threat actor uses ‘aged’ domains to evade security platforms
November 30, 2022
A sophisticated threat actor named ‘CashRewindo’ has been using ‘aged’ domains in global malvertising campaigns that lead to investment scam sites. Malvertising involves the injection of malicious JavaScript code in digital ads promoted by legitimate advertising networks, taking website visitors to pages that host phishing forms, drop malware, or operate scams. The CashRewindo malvertising campaigns are spread ...