PCrat is a notorious remote administration trojan, with its source code openly accessible on the public internet. This malware, along with KimJongRAT, has been identified as part of malicious cyber attacks. In our analysis, we found that these two malwares were used as the encoded secondary payload in BabyShark attacks, earning them the nickname "Cowboys". Their primary function appears to be information stealing and disruption of operations. The original filename "cow_pass.fig" suggests that KimJongRAT is primarily used for password extraction, while PCRat supports data exfiltration to Command and Control (C2) servers.
These malware families have shown their adaptability and potential for future use in different configurations. While the current focus is on PCRat and KimJongRAT, threat actors may shift to other malware families in the future. In this case, PCRat was observed communicating with a C2 server at IP address 173.248.170[.]149:80. This shows the malware's ability to establish a connection with external servers, further highlighting its threat potential.
Despite the threats posed by PCRat and KimJongRAT, defenses against them are robust. Our Intrusion Prevention System (IPS) engine effectively blocks both pre and post infection network communications from the BabyShark and PCRat malware families. By decoding the PCRat payload metadata, we can gain insights into the operation of the malware, allowing us to better anticipate and counter future attacks.
Description last updated: 2024-05-04T21:41:29.884Z