KimJongRAT is a potent form of malware, malicious software designed to infiltrate and damage computer systems, often without the user's knowledge. It primarily functions as an information stealer, extracting sensitive data such as email credentials from Microsoft Outlook and Mozilla Thunderbird, and login details for Google, Facebook, and Yahoo accounts from various browsers like Internet Explorer, Chrome, Mozilla Firefox, and Yandex Browser. The original filename "cow_pass.fig" suggests that KimJongRAT is primarily used by threat actors as a password extraction tool. Data collected through this malware is typically exfiltrated to Command and Control (C2) servers with support from other malware such as BabyShark or PCRat.
In our previous research, we identified potential links between the BabyShark malware and the KimJongRAT family. Our analysis revealed that BabyShark attacks were utilizing KimJongRAT and PCRat as the encoded secondary payload, leading us to nickname these malware families as the "Cowboys." After decoding, it was confirmed that these samples were indeed KimJongRAT and PCRat respectively. However, it's important to note that these malware families could potentially be replaced with others in future attacks.
The connections between BabyShark and KimJongRAT were established based on similarities in malware behavior, similar interests in targets, and the observation of a freshly compiled KimJongRAT malware sample originating from the same threat actor. This suggests a coordinated effort among different types of malware to maximize their damaging potential. As a result, organizations must remain vigilant and ensure robust cybersecurity measures are in place to counter such multifaceted threats.
Description last updated: 2024-05-04T21:41:29.467Z