This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Kaspersky, China Telecom, China Mobile named ‘threats to US national security’
March 28, 2022
The United Stations Federal Communications Commission (FCC) has labelled Kaspersky, China Mobile, and China Telecom as threats to national security. The three companies join Huawei, ZTE, Chinese radio-comms vendor Hytera, and Chinese video surveillance systems vendors Hangzhou Hikvision Digital Technology Company and Dahua Technology Company. Kaspersky is the first non-Chinese company to be added to the FCC’s ...
- ‘Massive cyberattack’ against Ukrainian ISP has been neutralized, Ukraine says
March 28, 2022
The Ukrainian Internet Service Provider Ukrtelecom was the target of a “massive cyberattack,” the Ukrainian government said Monday. As of 12:35 pm PT on Monday, the attack had been neutralized, according to the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine. The attack on core IT infrastructure impacted the entire nation, according to ...
- China APT group using Russia invasion, COVID-19 in phishing attacks
March 28, 2022
A China-based threat group is likely running a month-long campaign using a variant of the Korplug malware and targeting European diplomats, internet service providers (ISPs) and research institutions via phishing lures that refer to Russia’s invasion of Ukraine and COVID-19 travel restrictions. The ongoing campaign was first seen in August 2021 and is being tied to ...
- FBI: Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector
March 24, 2022
This joint Cybersecurity Advisory (CSA)—coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE)—provides information on multiple intrusion campaigns conducted by statesponsored Russian cyber actors from 2011 to 2018 and targeted U.S. and international Energy Sector organizations. CISA, the FBI, and DOE responded to ...
- Countering threats from North Korea
March 24, 2022
On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups’ activity has been publicly tracked as Operation Dream Job and Operation AppleJeus. We observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations ...
- TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS)
March 24, 2022
The FBI is warning that the group responsible for the deployment of TRITON malware against a Middle East–based petrochemical plant’s safety instrumented system in 2017, the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), continues to conduct activity targeting the global energy sector. This warning follows the 24 March 2022 unsealing of a ...