This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Luna and Black Basta – new ransomware for Windows, Linux and ESXi
July 20, 2022
In Kaspersky crimeware reporting service, they analyze the latest crime-related trends we come across. If Kaspersky look back at what they covered last month, they will see that ransomware (surprise, surprise!) definitely stands out. In this blog post, Kaspersky researchers provide several excerpts from last month’s reports on new ransomware strains. Last month, Kaspersky Darknet Threat ...
- Analyzing Penetration-Testing Tools That Threat Actors Use to Breach Systems and Steal Data
July 20, 2022
The use of legitimate Windows tools as part of malicious actors’ malware arsenal has become a common observation in cyber incursions in recent years. We’ve discussed such use in a previous article where PsExec, Windows Management Instrumentation (WMI), simple batch files or third-party tools such as PC Hunter and Process Hacker were used to disable ...
- Russian cyber spies targeting NATO countries in new hacking campaign
July 19, 2022
Cyber spies suspected of working for Russia’s foreign intelligence service (SVR) are targeting NATO countries in a recent hacking campaign, according to a new industry report. The hackers are using online storage services such as Google Drive and Dropbox to avoid being detected, said cyber security company Palo Alto. The hacking attempts have included phishing emails containing ...
- Hacking group ‘8220’ grows cloud botnet to more than 30,000 hosts
July 19, 2022
A cryptomining gang known as 8220 Gang has been exploiting Linux and cloud app vulnerabilities to grow their botnet to more than 30,000 infected hosts. The group is a low-skilled, financially-motivated actor that infects AWS, Azure, GCP, Alitun, and QCloud hosts after targeting publicly available systems running vulnerable versions of Docker, Redis, Confluence, and Apache. Previous attacks ...
- New CloudMensis malware backdoors Macs to steal victims’ data
July 19, 2022
Unknown threat actors are using previously undetected malware to backdoor macOS devices and exfiltrate information in a highly targeted series of attacks. ESET researchers first spotted the new malware in April 2022 and named it CloudMensis because it uses pCloud, Yandex Disk, and Dropbox public cloud storage services for command-and-control (C2) communication. CloudMensis’ capabilities clearly show that ...
- Roaming Mantis hits Android and iOS users in malware, phishing attacks
July 19, 2022
After hitting Germany, Taiwan, South Korea, Japan, the US, and the U.K. the Roaming Mantis operation moved to targeting Android and iOS users in France, likely compromising tens of thousands of devices. Roaming Mantis is believed to be a financially-motivated threat actor that started targeting European users in February. In a recently observed campaign, the threat actor ...