Kimsuki hackers use commodity RATs with custom Gold Dragon malware

2022-02-08 20:35

South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon.

A sophisticated threat actor may choose to use commodity RATs because, for basic reconnaissance operations, these tools are perfectly adequate and don't require much configuration.

Commodity RATs blend in with activity from a broad spectrum of threat actors, making it harder for analysts to attribute malicious activity to a particular group.

Gold Dragon is a second-stage backdoor that Kimsuky typically deploys after a file-less PowerShell-based first-stage attack that leverages steganography.

"The attacker installed Gold Dragon through the exclusive installer. The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker's server, decompresses it as"in.

" - ASEC. Next, the installer adds a new registry key to establish startup persistence for the malware payload. Finally, Kimsuky drops an uninstaller that can delete the traces of compromise if and when needed.

News URL

https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commodity-rats-with-custom-gold-dragon-malware/

#hacker #malware #RAT

News URL

Related news