This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- New cold boot attack affects seven years of LG Android smartphones
June 2, 2020
South Korean phone manufacturer LG has released a security update last month to fix a vulnerability that impacts its Android smartphones sold over the past seven years. The vulnerability, tracked under the identifier of CVE-2020-12753, impacts the bootloader component that ships with LG smartphones. Separate from the Android OS, the bootloader is a piece of firmware specific ...
- Factory Security Problems from an IT Perspective (Part 3): Practical approach for stable operation
June 1, 2020
This article is the last in a series that discusses the challenges that IT departments face when they are assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges. As explained in the first two articles, a factory network that accounts for diverse conditions and environments requires a well-balanced consideration ...
- Minneapolis Police Department Hack Likely Fake, Says Researcher
June 1, 2020
As protests continue to proliferate across the globe in the wake of George Floyd’s death, the Minnesota Police Department is making news for something else: A supposed hack, perpetrated at the hands of the Anonymous hacktivist group. According to Troy Hunt at Have I Been Pwned (HIBP), the group of allegedly ill-gotten email addresses and passwords ...
- Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
May 28, 2020
First discovered in 2016, TrickBot is an information stealer that provides backdoor access sometimes used by criminal groups to distribute other malware. TrickBot uses modules to perform different functions, and one key function is propagating from an infected Windows client to a vulnerable Domain Controller (DC). TrickBot currently uses three modules for propagation. As early as April ...
- Hackers Compromise Cisco Servers Via SaltStack Flaws
May 28, 2020
Cisco said attackers have been able to compromise its servers after exploiting two known, critical SaltStack vulnerabilities. The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products. Two Cisco products incorporate a version of SaltStack that is running the vulnerable salt-master service. The first is Cisco Modeling Labs Corporate Edition (CML), ...
- ‘[F]Unicorn’ Ransomware Impersonates Legit COVID-19 Contact-Tracing App
May 27, 2020
A fresh ransomware strain known as “Unicorn” has emerged, first seen this week targeting users by pretending to be an official government COVID-19 contact tracing app. According to an advisory from the Computer Emergency Response Team (CERT) from the Agency for Digital Italy (AgID), the malware family is taking advantage of the rollout of “Immuni” – ...