Malware, Threat Intelligence

Illicit HTA files facilitate KimJongRAT distribution

North Korean remote IT worker scam

Windows systems are being targeted with the advanced KimJongRAT malware linked to North Korean state-sponsored advanced persistent threat operation Kimsuky via malicious HTA files, according to GBHackers News.

Attackers distribute phishing emails with a ZIP archive purporting to be a tax notice that includes an LNK file masquerading as a tax notice PDF document, which when run leverages mshta for Base64-encoded URL encoding and the eventual activation of the HTA file, a report from ESTsecurity showed. Execution of the HTA file prompts additional illicit file and decoy document downloads, with the payloads deployed depending on the operation of security software.

While Windows Defender disablement allows the downloading of a log file that facilitates not only the exfiltration of system data, browser storage details, and browser encryption keys, but also of cryptocurrency wallet details, Discord credentials, and Telegram accounts, activation of Windows Defender enables similar data gathering activity but with increased persistence.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds