Security News > 2022 > February > Kimsuki hackers use commodity RATs with custom Gold Dragon malware
South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon.
A sophisticated threat actor may choose to use commodity RATs because, for basic reconnaissance operations, these tools are perfectly adequate and don't require much configuration.
Commodity RATs blend in with activity from a broad spectrum of threat actors, making it harder for analysts to attribute malicious activity to a particular group.
Gold Dragon is a second-stage backdoor that Kimsuky typically deploys after a file-less PowerShell-based first-stage attack that leverages steganography.
"The attacker installed Gold Dragon through the exclusive installer. The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker's server, decompresses it as"in.
" - ASEC. Next, the installer adds a new registry key to establish startup persistence for the malware payload. Finally, Kimsuky drops an uninstaller that can delete the traces of compromise if and when needed.
News URL
Related news
- Russia-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware (source)
- Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer (source)
- Hacker infects 18,000 "script kiddies" with fake malware builder (source)
- North Korean Hackers Deploy FERRET Malware via Fake Job Interviews on macOS (source)
- Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware (source)
- North Korean hackers spotted using ClickFix tactic to deliver malware (source)
- North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware (source)
- Chinese hackers use custom malware to spy on US telecom networks (source)