This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Threat in your browser: what dangers innocent-looking extensions hold for users
August 16, 2022
Whether you want to block ads, keep a to-do list or check your spelling, browser extensions allow you to do all of the above and more, improving convenience, productivity and efficiency for free, which is why they are so popular. Chrome, Safari, Mozilla — these and many other major Web browsers — have their own ...
- RTLS systems vulnerable to MiTM attacks, location manipulation
August 16, 2022
Security researchers have uncovered multiple vulnerabilities impacting UWB (ultra-wideband) RTLS (real-time locating systems), enabling threat actors to conduct man-in-the-middle attacks and manipulate tag geo-location data. RTLS technology is widely used in industrial environments, mass transit, healthcare, and smart city applications. Its primary role is to assist in safety by defining geofencing zones using tracking tags, signal ...
- Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
August 16, 2022
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. CVEs currently being exploited against ZCS include: CVE-2022-24682 CVE-2022-27924 CVE-2022-27925 ...
- Disrupting SEABORGIUM’s ongoing phishing operations
August 15, 2022
The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to ...
- Attacker’s psychology: what to consider when defending against DDoS attacks
August 15, 2022
Although DDoS attacks are mainly carried out with bots, the initiators and coordinators of the attacks are humans. The nature of the attacks, their intensity and duration largely depend on their motivation and behaviors. According to StormWall researchers observations, attackers who launch DDoS attacks almost always want to ensure that their efforts have been successful and ...
- Over 9,000 VNC servers exposed online without a password
August 14, 2022
Researchers have discovered at least 9,000 exposed VNC (virtual network computing) endpoints that can be accessed and used without authentication, allowing threat actors easy access to internal networks. VNC (virtual network computing) is a platform-independent system meant to help users connect to systems that require monitoring and adjustments, offering control of a remote computer via RFB ...