Kimjongrat

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
KimJongRAT is a potent form of malware, malicious software designed to infiltrate and damage computer systems, often without the user's knowledge. It primarily functions as an information stealer, extracting sensitive data such as email credentials from Microsoft Outlook and Mozilla Thunderbird, and login details for Google, Facebook, and Yahoo accounts from various browsers like Internet Explorer, Chrome, Mozilla Firefox, and Yandex Browser. The original filename "cow_pass.fig" suggests that KimJongRAT is primarily used by threat actors as a password extraction tool. Data collected through this malware is typically exfiltrated to Command and Control (C2) servers with support from other malware such as BabyShark or PCRat. In our previous research, we identified potential links between the BabyShark malware and the KimJongRAT family. Our analysis revealed that BabyShark attacks were utilizing KimJongRAT and PCRat as the encoded secondary payload, leading us to nickname these malware families as the "Cowboys." After decoding, it was confirmed that these samples were indeed KimJongRAT and PCRat respectively. However, it's important to note that these malware families could potentially be replaced with others in future attacks. The connections between BabyShark and KimJongRAT were established based on similarities in malware behavior, similar interests in targets, and the observation of a freshly compiled KimJongRAT malware sample originating from the same threat actor. This suggests a coordinated effort among different types of malware to maximize their damaging potential. As a result, organizations must remain vigilant and ensure robust cybersecurity measures are in place to counter such multifaceted threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
BabyShark
1
BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used p
Pcrat
1
PCrat is a notorious remote administration trojan, with its source code openly accessible on the public internet. This malware, along with KimJongRAT, has been identified as part of malicious cyber attacks. In our analysis, we found that these two malwares were used as the encoded secondary payload
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Outlook
Facebook
Payload
Firefox
Malware
Chrome
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Kimjongrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat