mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-26 08:47:18 +00:00
chg: [tool] Cowboy and KimJongRAT (Sorry Paul, we forgot ;-)
ref: https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
This commit is contained in:
parent
094f0e0684
commit
2405f1c59e
1 changed files with 21 additions and 1 deletions
|
@ -7640,7 +7640,27 @@
|
||||||
},
|
},
|
||||||
"uuid": "a9fc6d3d-09d5-45c3-a91e-e8c61ef37908",
|
"uuid": "a9fc6d3d-09d5-45c3-a91e-e8c61ef37908",
|
||||||
"value": "Karkoff"
|
"value": "Karkoff"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "We conclude that this RAT/stealeris efficient and was also really interesting to analyse.Furthermore, the creator made effortsto look Korean, for example the author of the .pdf file is Kim Song Chol. He is the brother of Kim Jong-un, the leader of North Korea. We identified that the author of a variant of this stealer is another brother of Kim Jong-un. Maybe the author named every variant withthe name of each brother. After some searches using Google, we identified anold variant of this malware here: http://contagiodump.blogspot.ca/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html. The code of the malware available on the blog is closeto our case but with fewer features. In 2010, the password of the Gmail account was futurekimkim. Three years ago, the author was already fixatedon the Kim family...The language of the resource stored in the .dll file is Korean (LANG_KOREAN). The owner of the gmail mailbox is laoshi135.zhangand the secret question of this account is in Korean too.We don’t know if the malware truly comesfrom Korea.However, thanks to these factors, we decided to name this sample KimJongRAT/Stealer.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://malware.lu/assets/files/articles/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "3160f772-d458-4bff-970c-1c0431238803",
|
||||||
|
"value": "KimJongRAT"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Based on our research, it appears the malware author calls the encoded secondary payload “Cowboy” regardless of what malware family is delivered.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "50baa4dc-0667-4b47-b4aa-374a2743f409",
|
||||||
|
"value": "Cowboy"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 117
|
"version": 118
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue