This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Potential hack for some Boeing planes fixed
August 12, 2022
A digital vulnerability in the computer systems used on some Boeing Co aircraft that could have allowed malicious hackers to modify data and cause pilots to make dangerous miscalculations has been fixed, security researchers said on Friday. Older versions of a digital tool used to calculate landing and take-off speeds on some aircraft could be tampered ...
- Chinese hackers backdoor chat app with new Linux, macOS malware
August 12, 2022
Versions of a cross-platform instant messenger application focused on the Chinese market known as ‘MiMi’ have been trojanized to deliver a new backdoor (dubbed rshell) that can be used to steal data from Linux and macOS systems. SEKOIA’s Threat & Detection Research Team says that the app’s macOS 2.3.0 version has been backdoored for almost four ...
- UK: Ransomware attack on NHS systems could take weeks to fix, major IT provider warns
August 11, 2022
A cyberattack that hit a major IT provider for the NHS and severely affected the 111 service involved ransomware and could take up to four weeks to fix, it has emerged. Advanced, which supplies vital systems for the NHS, said it suffered a cyber breach around 7am on 4 August which has now been contained. The attack ...
- Cisco admits corporate network compromised by gang with links to Lapsus$
August 11, 2022
Cisco disclosed on Wednesday that its corporate network was accessed by cyber-criminals in May after an employee’s personal Google account was compromised – an act a ransomware gang named “Yanluowang” has now claimed as its work. The world’s largest networking vendor disclosed the months-old compromise after a list of files accessed during the incident appeared on ...
- #StopRansomware: Zeppelin Ransomware
August 11, 2022
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section ...
- Automotive supplier breached by 3 ransomware gangs in 2 weeks
August 10, 2022
An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours. The attacks followed an initial breach of the company’s systems by a likely initial access broker (IAB) in December 2021, who exploited a firewall misconfiguration to breach ...