Security News > 2022 > February > Kimsuki hackers use commodity RATs with custom Gold Dragon malware
South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon.
A sophisticated threat actor may choose to use commodity RATs because, for basic reconnaissance operations, these tools are perfectly adequate and don't require much configuration.
Commodity RATs blend in with activity from a broad spectrum of threat actors, making it harder for analysts to attribute malicious activity to a particular group.
Gold Dragon is a second-stage backdoor that Kimsuky typically deploys after a file-less PowerShell-based first-stage attack that leverages steganography.
"The attacker installed Gold Dragon through the exclusive installer. The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker's server, decompresses it as"in.
" - ASEC. Next, the installer adds a new registry key to establish startup persistence for the malware payload. Finally, Kimsuky drops an uninstaller that can delete the traces of compromise if and when needed.
News URL
Related news
- Andariel Hackers Target South Korean Institutes with New Dora RAT Malware (source)
- Hackers Use MS Excel Macro to Launch Multi-Stage Malware Attack in Ukraine (source)
- Hackers Exploit Legitimate Packer Software to Spread Malware Undetected (source)
- New Cross-Platform Malware 'Noodle RAT' Targets Windows and Linux Systems (source)
- Pakistani Hackers Use DISGOMOJI Malware in Indian Government Cyber Attacks (source)
- Hackers use F5 BIG-IP malware to stealthily steal data for years (source)
- Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware (source)
- Hackers attack HFS servers to drop malware and Monero miners (source)
- China-linked APT17 Targets Italian Companies with 9002 RAT Malware (source)
- North Korean Hackers Update BeaverTail Malware to Target MacOS Users (source)