Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

SUMMARY :

This article analyzes two new variants of the KimJongRAT stealer: a Portable Executable (PE) variant and a PowerShell implementation. Both variants use a multi-stage infection process, starting with a Windows shortcut (LNK) file that downloads a dropper from a content delivery network. The PE variant deploys a loader, decoy PDF, and text file, while the PowerShell variant deploys a decoy PDF and ZIP archive containing scripts. Both variants gather victim information and browser data, including from crypto-wallet extensions. The PowerShell variant focuses more on cryptocurrency, searching for an extensive list of browser wallet extensions. The malware uses legitimate CDN services to mask its distribution and has evolved since its first appearance in 2013, showcasing the developers' commitment to updating its capabilities.

OPENCTI LABELS :

powershell,stealer,cryptocurrency,multi-stage infection,browser extensions,content delivery network,kimjongrat


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation