This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Chase Bank Phish Swims Past Exchange Email Protections
April 28, 2021
Threat actors are impersonating Chase Bank in two phishing attacks that can slip past Microsoft Exchange security protections in an aim to steal credentials from victims — by spoofing real-life customer scenarios. Researchers from Armorblox recently discovered the attacks, one of which claims to contain a credit card statement, while the other informs users that their ...
- APT trends report Q1 2021
April 27, 2021
For four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed ...
- Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
April 27, 2021
In January, Trend Micro researchers encountered a new ransomware using .hello as its extension in one of our cases that possibly arrived via a SharePoint server vulnerability. This appeared to be a new ransomware family dubbed as the Hello ransomware (aka WickrMe), named after the chat application that was used to contact the cybercriminals responsible. Previous ...
- Linux Kernel Bug Opens Door to Wider Cyberattacks
April 27, 2021
An information-disclosure security vulnerability has been discovered in the Linux kernel, which can be exploited to expose information in the kernel stack memory of vulnerable devices. Specifically, the bug (CVE-2020-28588) exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux, according to Cisco Talos, which discovered the vulnerability. It arises from an improper conversion of ...
- Flubot Spyware Spreading Through Android Devices
April 26, 2021
Android mobile phone users across the U.K. are being targeted by text messages containing a particularly nasty piece of spyware called “Flubot,” according to the country’s National Cyber Security Centre. The malware is delivered to targets through SMS texts and prompts them to install a “missed package delivery” app. Instead, it takes victims to a scam ...
- DC Police confirms cyberattack after ransomware gang leaks data
April 26, 2021
The Metropolitan Police Department has confirmed that they suffered a cyberattack after the Babuk ransomware gang leaked screenshots of stolen data. The Metropolitan Police Department, also known as the DC Police or MPD, is the primary law enforcement agency for Washington, DC, the US capital. In a statement to BleepingComputer, the DC Police stated that they are ...