Security News > 2022 > February > Kimsuki hackers use commodity RATs with custom Gold Dragon malware
South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon.
A sophisticated threat actor may choose to use commodity RATs because, for basic reconnaissance operations, these tools are perfectly adequate and don't require much configuration.
Commodity RATs blend in with activity from a broad spectrum of threat actors, making it harder for analysts to attribute malicious activity to a particular group.
Gold Dragon is a second-stage backdoor that Kimsuky typically deploys after a file-less PowerShell-based first-stage attack that leverages steganography.
"The attacker installed Gold Dragon through the exclusive installer. The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker's server, decompresses it as"in.
" - ASEC. Next, the installer adds a new registry key to establish startup persistence for the malware payload. Finally, Kimsuky drops an uninstaller that can delete the traces of compromise if and when needed.
News URL
Related news
- North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware (source)
- Chinese hackers use custom malware to spy on US telecom networks (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)
- Microsoft: New RAT malware used for crypto theft, reconnaissance (source)
- Hackers Exploit Severe PHP Flaw to Deploy Quasar RAT and XMRig Miners (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- We Smell a (DC)Rat: Revealing a Sophisticated Malware Delivery Chain (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)