This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Over a million user accounts ‘stolen’ in South Africa
November 28, 2022
Cyber security firm Kaspersky has warned that over a million company user accounts were compromised using a ‘data stealer’ in South Africa since 2021, and that the data may well have ended up on forums and markets on the dark web. The company said the average price that criminals charge for access to corporate systems in ...
- Major Twitter hack sees 5.4 million phone numbers and email addresses leaked on the dark web
November 28, 2022
More than 5.4 million Twitter user records, including personal phone numbers and email addresses, are up for grabs on the dark web in a massive data dump that some believe the Elon Musk-owned firm is attempting to cover up. The data dump was identified by Chad Loder, the founder of cyber security awareness company Habitu8, who ...
- Decentralized Robbery: Dissecting the Nomad Bridge Hack and Following the Money
November 28, 2022
In this blog post, Mandiant takes a deeper look into how the Nomad bridge smart-contract was exploited and analyzes the on-chain transactions post-compromise using cybercrime prevention company Cyber Team Six’s (CT6) blockchain investigative software, CryptoVoyant. Background In early August 2022, the public observed yet another bridge attack, this time against the Nomad token bridge—a “bridge” allows interoperability ...
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
November 28, 2022
ISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added ...
- Gangs of cybercriminals are expanding across Africa, investigators say
November 27, 2022
Police and investigators fear organised gangs of fraudsters are expanding across sub-Saharan Africa, exploiting new opportunities as a result of the Covid-19 pandemic and the global economic crisis to make huge sums with little risk of being caught. The growth will have a direct impact on the rest of the world, where many victims of “hugely ...
- Ransomware gang targets Belgian municipality, hits police instead
November 26, 2022
The Ragnar Locker ransomware gang has published stolen data from what they thought was the municipality of Zwijndrecht, but turned out to be stolen from Zwijndrecht police, a local police unit in Antwerp, Belgium. The leaked data reportedly exposed thousands of car number plates, fines, crime report files, personnel details, investigation reports, and more. This type of ...