KimJongRAT

Posted: June 7, 2019

KimJongRAT is a Remote Access Trojan that includes features for data exfiltration. Threat actors may use it for controlling your computer or collecting information and are likely of having the support of related Trojans with similar features. Use your anti-malware products for uninstalling KimJongRAT and prevent infections by monitoring e-mail and Web-browsing content appropriately.

A Spyware in a Dictator's Name

Remote Access Trojans' best selling points tend to be the user-friendly interfaces for issuing commands from an attacker to a compromised PC. The proprietary KimJongRAT is an exception to the rule, possibly, due to its threat actors preferring the semi-public PCRat, or one of their other, supporting Trojans, BabyShark, for such purposes. Whatever the reasoning behind its specialty, malware analysts find KimJongRAT's being the greatest danger to the victim's stored passwords and other login credentials.

KimJongRAT has close ties to attacks against organizations involved in both cryptocurrency speculation and Korean peninsula-based political concerns, and its installation often occurs at the hands of the previous BabyShark, simultaneously with PCRat. Besides its features for accepting commands and conducting other attacks, KimJongRAT has incisive features for collecting data, although the specifics vary, depending on the version.

Old versions of KimJongRAT use a dual C&C communication structure that contacts a Gmail account and a website and may use it for downloading files that can execute corrupted code, as well as the traditional uploading of collected information. However, new releases of KimJongRAT in 2019 abandon the relatively noisy networking features. The Trojan replaces them with a narrower search for Web-browsing credentials in browsers like Chrome or Internet Explorer, along with some accounts, such as Facebook.

Dealing with Cowboys Gone Outlaw

Although not every KimJongRAT infection is a smaller part of a larger BabyShark one, 2019 attacks imply a healthy working relationship between the two, both according to the observed presence of these threats coinciding and some other details, such as sharing file paths. In these scenarios, KimJongRAT wears the label of a 'cowboy' payload for the BabyShark Trojan, along with PCRat. Infection vectors that malware researchers highlight as worth watching out for include:

Phishing lures in e-mails can include both non-public and public content for luring users into clicking a corrupted link or attached file. Files resulting in KimJongRAT infections, generally, are spreadsheets or documents with macros or similar exploits.
A watering hole attack is a secondary possibility that arises from users visiting a compromised website and loading unsafe content, such as JavaScript or Flash. A watering hole attack differs from 'normal' website hackings, due to the narrow targeting of domains of interest to niche Web surfers – such as nuclear security news sites.

Updating software and refusing prompts for enabling unwanted content, along with similar precautions, can block most of these infection techniques. Anti-malware utilities should be capable of deleting KimJongRAT, as well, although the re-securing of stolen information will remain necessary.

With API-concealing ciphers and other tricks to keep it modernized, KimJongRAT is getting updates that keep it current against the cyber-security industry. Its likely victims should do all that they can to keep it from becoming a problem since there's no way of reversing the theft of one's information.