From 2405f1c59e1717659a9f62a262d015f463c690e2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 27 Apr 2019 09:33:55 +0200 Subject: [PATCH] chg: [tool] Cowboy and KimJongRAT (Sorry Paul, we forgot ;-) ref: https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ --- clusters/tool.json | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 77d4645..8493546 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7640,7 +7640,27 @@ }, "uuid": "a9fc6d3d-09d5-45c3-a91e-e8c61ef37908", "value": "Karkoff" + }, + { + "description": "We conclude that this RAT/stealeris efficient and was also really interesting to analyse.Furthermore, the creator made effortsto look Korean, for example the author of the .pdf file is Kim Song Chol. He is the brother of Kim Jong-un, the leader of North Korea. We identified that the author of a variant of this stealer is another brother of Kim Jong-un. Maybe the author named every variant withthe name of each brother. After some searches using Google, we identified anold variant of this malware here: http://contagiodump.blogspot.ca/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html. The code of the malware available on the blog is closeto our case but with fewer features. In 2010, the password of the Gmail account was futurekimkim. Three years ago, the author was already fixatedon the Kim family...The language of the resource stored in the .dll file is Korean (LANG_KOREAN). The owner of the gmail mailbox is laoshi135.zhangand the secret question of this account is in Korean too.We don’t know if the malware truly comesfrom Korea.However, thanks to these factors, we decided to name this sample KimJongRAT/Stealer.", + "meta": { + "refs": [ + "https://malware.lu/assets/files/articles/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf" + ] + }, + "uuid": "3160f772-d458-4bff-970c-1c0431238803", + "value": "KimJongRAT" + }, + { + "description": "Based on our research, it appears the malware author calls the encoded secondary payload “Cowboy” regardless of what malware family is delivered.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/" + ] + }, + "uuid": "50baa4dc-0667-4b47-b4aa-374a2743f409", + "value": "Cowboy" } ], - "version": 117 + "version": 118 }