This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Hive ransomware attacks Memorial Health System, steals patient data
August 16, 2021
In what appears to be an attack from the Hive ransomware gang, computers of the non-profit Memorial Health System have been encrypted, forcing staff to work with paper charts. The attack occurred early Sunday morning and the IT department detected it once they noticed that parts of the infrastructure no longer responded as expected. Read more… Source: Bleeping ...
- T-Mobile says hackers accessed user data but won’t confirm SSN breach of 100 million customers
August 16, 2021
T-Mobile is looking into allegations that a hacker stole 106GB of data containing the social security numbers, names, addresses and driver’s license information for more than 100 million people. In a statement to ZDNet, T-Mobile said it is “aware of claims made in an underground forum and have been actively investigating their validity.” Teams at T-Mobile ...
- Exchange Servers Under Active Attack via ProxyShell Bugs
August 15, 2021
Researchers’ Microsoft Exchange server honeypots are being actively exploited via ProxyShell: The name of an attack disclosed at Black Hat last week that chains three vulnerabilities to enable unauthenticated attackers to perform remote code execution (RCE) and snag plaintext passwords. In his Black Hat presentation last week, Devcore principal security researcher Orange Tsai said that a ...
- Cyberattackers Embrace CAPTCHAs to Hide Phishing, Malware
August 13, 2021
Cyberattackers are using Google’s reCAPTCHA (aka the “I am not a robot” function) and fake CAPTCHA-like services to obscure various phishing and other campaigns, according to researchers. There are signs however that those evasion efforts may be losing their efficacy. CAPTCHAs are familiar to most internet users as the challenges that are used to confirm that ...
- SynAck ransomware group releases decryption keys as they rebrand to El_Cometa
August 13, 2021
The SynAck ransomware gang has released decryption keys for victims that were infected between July 2017 and 2021, according to data obtained by The Record. SynAck is in the process of rebranding itself as the El_Cometa ransomware gang, and a member of the old group gave the keys to The Record. Emsisoft’s Michael Gillespie confirmed the veracity ...
- Microsoft Warns: Another Unpatched PrintNightmare Zero-Day
August 12, 2021
One day after dropping its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler. The zero-day bug, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3, meaning that it’s rated as “important.” Microsoft said that it allows for a local ...