Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats
Contents
Executive Summary
Variants of the KimJongRAT malware family have been consistently identified since the 2010s.
Upon execution via phishing emails, modular malware components exfiltrate sensitive victim data, including system configuration and browser artifacts.
The malware extracts the master key from Chromium-based browsers to decrypt sensitive browser data.
Identification of GitHub and cloud storage infrastructure enabled rapid tracking of successive malware variants.
Additional spear-phishing waves and related infrastructure linked to the same attaker were identified.
1. Overview
Since the 2010s, KimJongRAT has continued to surface in the wild. First designated in 2013, KimJongRAT has been consistently attributed to DPRK-nexus threat actor Kimsuky.
Recently, the attacker employed KimJongRAT variants that contain only dataâtheft logic while omitting C&C communication logic, distributing two branches of malware: a PE executable and a PowerShell script. ENKI WhiteHat Threat Research Team has continuously tracked this activity, identifying new infrastructure and related campaigns by the same actor.
During tracking, we obtained multiple phishing emails, confirming the use …
Variants of the KimJongRAT malware family have been consistently identified since the 2010s.
Upon execution via phishing emails, modular malware components exfiltrate sensitive victim data, including system configuration and browser artifacts.
The malware extracts the master key from Chromium-based browsers to decrypt sensitive browser data.
Identification of GitHub and cloud storage infrastructure enabled rapid tracking of successive malware variants.
Additional spear-phishing waves and related infrastructure linked to the same attaker were identified.
1. Overview
Since the 2010s, KimJongRAT has continued to surface in the wild. First designated in 2013, KimJongRAT has been consistently attributed to DPRK-nexus threat actor Kimsuky.
Recently, the attacker employed KimJongRAT variants that contain only dataâtheft logic while omitting C&C communication logic, distributing two branches of malware: a PE executable and a PowerShell script. ENKI WhiteHat Threat Research Team has continuously tracked this activity, identifying new infrastructure and related campaigns by the same actor.
During tracking, we obtained multiple phishing emails, confirming the use …
IoC
http://daumcyd.ddns.net
https://drive.google.com/uc?export=download&id=14J3_AavuDYmvlf32nqUQbNwz63Ym9Ph3
https://drive.google.com/uc?export=download&id=12V4yQfKNkeA1W_FIkCpirhSO3dnA52Ni
http://nid-naverbpk.onthewifi.com
https://natezlx.myvnc.com/?nxnx=change&m=[base64
http://gmail.com
http://183.111.226.13
http://buly.kr
http://kzloly.nmailhub.com
http://142.11.248.98
http://27.102.113.107
http://cdn.glitch.global
https://link24.kr/HSXrWzV
https://drive.google.com/uc?export=download&id=1PpxH3N-s87LZVCX7IBvLMpx56ABQ6CGn
https://drive.google.com/uc?export=download&id=1dWsR1EkV_oxaIrJhXiAmmzvJY8SDgNnu
https://drive.google.com/ucexport=download&id=1uhHhgt4EMMhWZr9b94dxll0aphOg7PYi
http://27.102.113.170
https://natezlx.myvnc.com/docs/?ru=https://github.com/microstrategy743/dev/releases/download/v1.0/sexoffender.zip&m=[base64
http://natezlx.myvnc.com
http://27.102.113.209
http://27.102.113.20
https://drive.google.com/uc?export=download&id=1Mx-A2CPcotb_DDcKmIs9d3DCSjbLwLhM
http://160.202.160.248
http://quemr.mailhubsec.com
http://61.97.243.9
http://103.249.28.34
https://natezlx.myvnc.com/docs/?ru=https://github.com/microstrategy743/dev/releases/download/v1.0/tax_bill.zip&m=[base64
https://drive.google.com/uc?export=download&id=1J__fMPHg-imAvg6BTenO0AmZCNa-lOys
https://buly.kr/EooX5dX
https://drive.google.com/uc?export=download&id=1_Z9I0D8M31-q7BKp_hs2TuY-kvlQH9D_
https://drive.google.com/uc?export=download&id=1kFyBMQdmMvhiu3j9-rTjgV2nVeYGr_fZ
160.202.160.248
142.11.248.98
183.111.226.13
27.102.113.107
27.102.113.209
103.249.28.34
27.102.113.20
27.102.113.170
61.97.243.9
[email protected]
[email protected]
76d2cbad8502dce9e70e501c2378d3ff
2e8bf657d0301fb4c61e29f455d9058e
172dc997ca6022ec8dff0842e4c7b887
d69fbf23e7492618cadc63d171010cd8
c69909ea3c131181fa7ae12155bcae17
5441d8a79411a261546beb1021cb5052
66c4e2dd235c4d8d31abaf96e051585e
f000df00a424cefcd8efff48ab167169
677e77265c7ba52e825fc62023942213
8b6580e14b8164e28e684d48691ddf4d
7d098f0f41601216ffd2e7f06da56c70f1e671da
d9ecf148c88bfd9791758b3be1a9f459
003ea91e9f52ecfdc3aadb2732e9b54c
77f131bc8f660f85812c0d2e0da8e77e
e3a937869322cc4cd765fcbf16d5b9ea
c0ee9a9046d82b294b3bf3bec997fc45
https://drive.google.com/uc?export=download&id=14J3_AavuDYmvlf32nqUQbNwz63Ym9Ph3
https://drive.google.com/uc?export=download&id=12V4yQfKNkeA1W_FIkCpirhSO3dnA52Ni
http://nid-naverbpk.onthewifi.com
https://natezlx.myvnc.com/?nxnx=change&m=[base64
http://gmail.com
http://183.111.226.13
http://buly.kr
http://kzloly.nmailhub.com
http://142.11.248.98
http://27.102.113.107
http://cdn.glitch.global
https://link24.kr/HSXrWzV
https://drive.google.com/uc?export=download&id=1PpxH3N-s87LZVCX7IBvLMpx56ABQ6CGn
https://drive.google.com/uc?export=download&id=1dWsR1EkV_oxaIrJhXiAmmzvJY8SDgNnu
https://drive.google.com/ucexport=download&id=1uhHhgt4EMMhWZr9b94dxll0aphOg7PYi
http://27.102.113.170
https://natezlx.myvnc.com/docs/?ru=https://github.com/microstrategy743/dev/releases/download/v1.0/sexoffender.zip&m=[base64
http://natezlx.myvnc.com
http://27.102.113.209
http://27.102.113.20
https://drive.google.com/uc?export=download&id=1Mx-A2CPcotb_DDcKmIs9d3DCSjbLwLhM
http://160.202.160.248
http://quemr.mailhubsec.com
http://61.97.243.9
http://103.249.28.34
https://natezlx.myvnc.com/docs/?ru=https://github.com/microstrategy743/dev/releases/download/v1.0/tax_bill.zip&m=[base64
https://drive.google.com/uc?export=download&id=1J__fMPHg-imAvg6BTenO0AmZCNa-lOys
https://buly.kr/EooX5dX
https://drive.google.com/uc?export=download&id=1_Z9I0D8M31-q7BKp_hs2TuY-kvlQH9D_
https://drive.google.com/uc?export=download&id=1kFyBMQdmMvhiu3j9-rTjgV2nVeYGr_fZ
160.202.160.248
142.11.248.98
183.111.226.13
27.102.113.107
27.102.113.209
103.249.28.34
27.102.113.20
27.102.113.170
61.97.243.9
[email protected]
[email protected]
76d2cbad8502dce9e70e501c2378d3ff
2e8bf657d0301fb4c61e29f455d9058e
172dc997ca6022ec8dff0842e4c7b887
d69fbf23e7492618cadc63d171010cd8
c69909ea3c131181fa7ae12155bcae17
5441d8a79411a261546beb1021cb5052
66c4e2dd235c4d8d31abaf96e051585e
f000df00a424cefcd8efff48ab167169
677e77265c7ba52e825fc62023942213
8b6580e14b8164e28e684d48691ddf4d
7d098f0f41601216ffd2e7f06da56c70f1e671da
d9ecf148c88bfd9791758b3be1a9f459
003ea91e9f52ecfdc3aadb2732e9b54c
77f131bc8f660f85812c0d2e0da8e77e
e3a937869322cc4cd765fcbf16d5b9ea
c0ee9a9046d82b294b3bf3bec997fc45