Rftrat

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Rftrat is a type of malware used by the Kimsuky Group in their cyber-attacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware, along with another known as Amadey, has been distributed via spear-phishing attacks containing booby-trapped attachments and links, aiming to bypass security products. An in-depth investigation into the latest set of Kimsuky Group attack indicators of compromise (IoCs), specifically those that used the RftRAT and Amadey malware, uncovered 702 potentially connected artifacts. These included 336 email-connected domains, five IP addresses, five IP-connected domains, and 356 string-connected domains. This discovery highlights the extensive network and sophisticated techniques employed by the Kimsuky Group in their cyber-attacks. The AhnLab Security Emergency Response Center (ASEC) published an in-depth investigation of the latest Kimsuky attack, specifically using RftRAT and Amadey. They identified six domains and seven IP addresses as IoCs. This disclosure underscores the importance of ongoing cybersecurity research and collaboration in mitigating the risks posed by such advanced persistent threats. ASEC's findings provide valuable insights for enhancing system defenses against these types of malware.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Amadey
1
Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Malware
Domains
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KimsukyUnspecified
1
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Rftrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Kimsuky: DNS Intel Gathering
CERT-EU
7 months ago
Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans