Threat Intelligence

Sophisticated EndClientRAT deployed by Kimsuky-linked hackers

Computer keyboard, close-up button of the flag of North Korea.

Attacks with the new EndClient RAT trojan have been launched by Kimsuky-linked threat actors against North Korean human rights defenders since September, GBHackers News reports.

After wiping an activist's Android device with EndClient RAT distributed through a "StressClear.msi"-spoofing Microsoft Installer package, hackers proceeded to compromise their KakaoTalk account to facilitate the deployment of the backdoor to 39 other targets, according to a report from 0x0v1.

Execution of EndClient RAT, which has been signed with a stolen Chengdu Huifenghe Science and Technology Co. Ltd. certificate, triggers multiple anti-analysis capabilities, including the creation of polymorphic file mutations to obscure itself from Avast software.

Aside from using various mechanisms for persistence, EndClient RAT enables remote shell command execution, system data gathering, and file transfers, said researchers. Organizations have been urged to defend themselves from the threat of EndClient RAT through highly focused threat hunting operations and increased vigilance on MSI files.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds