This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- New espionage malware found targeting Russian-speaking users in Eastern Europe
October 10, 2019
Security researchers have discovered an advanced malware strain that’s been deployed to spy on diplomats and Russian-speaking users in Eastern Europe. The malware, named Attor, has been used in attacks since 2013 but was only discovered last year, according to an ESET report published today. ESET said the malware bears the signs of a targeted espionage campaign ...
- More xHunt – New PowerShell Backdoor Blocked Through DNS Tunnel Detection
October 10, 2019
During our continued analysis of the xHunt campaign, we observed several domains with ties to the pasta58com, being used as the C2 server for a new PowerShell based backdoor that we’ve named CASHY200. This PowerShell backdoor ...
- CVE-2019-16928: Exploiting an Exim Vulnerability via EHLO Strings
October 10, 2019
In September, security researchers from the QAX-A-Team discovered the existence of CVE-2019-16928, a vulnerability involving the mail transfer agent Exim. Exim accounts for over 50% of publicly reachable mail servers on the internet. What makes the bug particularly noteworthy is that threat actors could exploit it to perform denial of service (DoS) or possibly even remote code execution ...
- Intelligence Agencies Warn Of Flaw With VPN Products
October 9, 2019
Both the US NSA and UK NCSC warn hackers are actively exploiting vulnerabilities in VPN products Both the US National Security Agency (NSA) and a GQHC agency in the United Kingdom have issued warnings about “multiple vulnerabilities in Virtual Private Network (VPN) applications.” Both the NSA and the UK’s National Cyber Security Centre (NCSC) warned that advanced persistent threat (APT) ...
- FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops
October 9, 2019
trend Micro discovered that the online credit card skimming attack known as Magecart or E-Skimming was actively operating on 3,126 online shops. Our data shows that the attack started on September 7, 2019. All of the impacted online shops are hosted on the cloud platform of the e-commerce service provider “Volusion,” one of the top e-commerce platforms in the market. ...
- The Value of Dark Web Coverage for Third-Party Risk Management
October 9, 2019
Everyone knows that a key ingredient to an effective third-party risk program is comprehensive, high-quality risk information. This includes details on supply chain risk, financial risk, legal risk, cyber risk, and more. With growing third-party ecosystems, it’s easier said than done for risk management teams to collect, organize, and prioritize their own risk information along ...