A new malware called KimJongRAT, linked to the North Korean hacking group Kimsuky, has emerged, raising concerns among cybersecurity experts. This latest threat is masquerading as a tax notice file, potentially duping unsuspecting users.
On Tuesday, the East Security Response Center (ESRC) reported that KimJongRAT, a remote access Trojan (RAT) associated with the Kimsuky group, is being distributed in HTA format. This sophisticated malware poses a significant risk to computer systems and sensitive data.
HTA (HTML Application) files are particularly dangerous as they can be executed directly on Windows systems. When users run these files, they establish communication with external servers, facilitating the download of additional malicious software.
The malware has been circulating under the innocuous name tax_notice_pdf.zip. Inside this compressed file lurks a shortcut (LNK) file disguised as tax_notice.pdf. Cybersecurity experts believe it’s being spread through targeted email phishing campaigns.
East Security’s analysis reveals that when users open the shortcut file, it triggers an encoded script that connects to a specific uniform resource locator (URL). If users proceed to download and execute the HTA file from this address, the malware installs itself alongside a decoy file that closely resembles a legitimate tax document.
A spokesperson from the Security Response Center warned that KimJongRAT demonstrates high penetration rates in environments with low security measures. They strongly advised users to maintain up-to-date Windows and software versions, and to enable the file explorer’s extension view feature. This allows users to verify file extensions before execution, adding an extra layer of security.