This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Zyxel urges customers to patch critical firewall bypass vulnerability
April 1, 2022
Zyxel is urging customers to immediately patch a critical vulnerability in the vendor’s firewall software. In a security advisory published this week, the Taiwanese networking giant said the security flaw can lead to the circumvention of firewall protection in Zyxel USG, ZyWALL, FLEX, ATP, VPN, and NSG product lines. Tracked as CVE-2022-0342 and issued a critical severity ...
- Modem-wiping malware caused Viasat satellite broadband outage in Europe
April 1, 2022
Tens of thousands of Viasat satellite broadband modems that were disabled in a cyber-attack some weeks ago were wiped by malware with possible links to Russia’s destructive VPNFilter, according to SentinelOne. On February 24, as Russian troops invaded Ukraine, Viasat terminals in Europe and Ukraine were suddenly and unexpectedly knocked offline and rendered inoperable. This caused, ...
- Lazarus Trojanized DeFi app for delivering malware
March 31, 2022
For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving. We recently discovered a ...
- Meet BlackGuard: a new infostealer peddled on Russian hacker forums
March 31, 2022
Researchers have uncovered a new infostealer malware being peddled in Russian underground forums. Dubbed BlackGuard, zScaler says that the new malware strain is “sophisticated” and has been made available to criminal buyers for a monthly price of $200. Infostealers are forms of malware designed to harvest valuable data, potentially including operating system information, contact lists, screenshots, network ...
- Tracking cyber activity in Eastern Europe
March 30, 2022
In early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Government-backed actors from China, Iran, ...
- An In-Depth Look at ICS Vulnerabilities Part 1
March 30, 2022
Every year, vulnerabilities are discovered and registered to a Common Vulnerabilities and Exposures (CVE) ID by the MITRE Corporation. Each vulnerability’s details are recorded, and specialists also include how to mitigate them under their CVE ID. Vulnerabilities that can affect industrial control system (ICS) environments are identified to the public through advisories by the Industrial ...