Rftrat

Rftrat is a type of malware used by the Kimsuky Group in their cyber-attacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware, along with another known as Amadey, has been distributed via spear-phishing attacks containing booby-trapped attachments and links, aiming to bypass security products. An in-depth investigation into the latest set of Kimsuky Group attack indicators of compromise (IoCs), specifically those that used the RftRAT and Amadey malware, uncovered 702 potentially connected artifacts. These included 336 email-connected domains, five IP addresses, five IP-connected domains, and 356 string-connected domains. This discovery highlights the extensive network and sophisticated techniques employed by the Kimsuky Group in their cyber-attacks. The AhnLab Security Emergency Response Center (ASEC) published an in-depth investigation of the latest Kimsuky attack, specifically using RftRAT and Amadey. They identified six domains and seven IP addresses as IoCs. This disclosure underscores the importance of ongoing cybersecurity research and collaboration in mitigating the risks posed by such advanced persistent threats. ASEC's findings provide valuable insights for enhancing system defenses against these types of malware.