The malware "KimJongRAT," known to be linked to the Kimsuky hacking group under North Korea's Reconnaissance General Bureau, is being distributed disguised as a national tax notice file, raising concerns that users need to be cautious.
According to the information and communications technology (ICT) industry on Feb. 2, ESTsecurity Security Response Center released a report that KimJongRAT, a remote access Trojan associated with the Kimsuky group, is spreading as an HTA file. An HTA file is a method attackers frequently use because it can directly execute HTA remotely from the internet by leveraging Windows processes.
The file was distributed under the name national tax notice pdf.zip and is presumed to have initially spread via a phishing email. The international notice pdf.zip contains a shortcut (LNK) file disguised as a national tax notice.pdf file.
When a user runs the shortcut file, the value encoded inside is restored to a URL value, leading to a connection to that URL. When connecting to the URL, an HTA file is downloaded, and running it downloads a decoy file (a lure file to prevent ransomware) and a malicious file.
The center said the characteristic of this attack is that it sends different data depending on the Windows security program. According to the report, it downloads different files depending on whether the user's security program is disabled or enabled, and periodically collects and transmits user information. The center assessed that, given it appears to steal information tailored to domestic conditions, this KimJongRAT is malware meticulously crafted to target the domestic sector.
The center emphasized, "Microsoft (MS) is strengthening security, but in legacy systems or environments with weak security settings, KimJongRAT remains a highly effective attack method, so Windows and software (SW) must be kept up to date." It added, "Enable the show file extensions feature in File Explorer and always check the extension before running a file."