Weaponized Windows LNK files have been exploited by a pair of new advanced variants of the KimJongRAT information-stealing malware to facilitate multi-stage compromise of cryptocurrency wallets, browser credentials, and system information, GBHackers News reports.
Attacks commence with the utilization of a malicious LNK file purporting to be a legitimate document as a lure, which installs an HTML Application on the Windows %temp% directory and deploys either of the two KimJongRAT iterations, an analysis from Palo Alto Networks Unit 42 researchers showed. KimJongRAT's PowerShell version extracts a ZIP archive with a PowerShell script for stealer and keylogger script decoding and execution, ensuring data exfiltration from various cryptocurrency wallet extensions and browsers, while the stealer's Portable Executable variant launches a loader and other payloads to compromise FTP and email client credentials. Additional findings revealed both KimJongRAT iterations' usage of legitimate content delivery network services and XOR- and RC4 cipher-encrypted communications to conceal malicious activity.
Attacks commence with the utilization of a malicious LNK file purporting to be a legitimate document as a lure, which installs an HTML Application on the Windows %temp% directory and deploys either of the two KimJongRAT iterations, an analysis from Palo Alto Networks Unit 42 researchers showed. KimJongRAT's PowerShell version extracts a ZIP archive with a PowerShell script for stealer and keylogger script decoding and execution, ensuring data exfiltration from various cryptocurrency wallet extensions and browsers, while the stealer's Portable Executable variant launches a loader and other payloads to compromise FTP and email client credentials. Additional findings revealed both KimJongRAT iterations' usage of legitimate content delivery network services and XOR- and RC4 cipher-encrypted communications to conceal malicious activity.
