MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [tool] Cowboy and KimJongRAT (Sorry Paul, we forgot ;-) 

ref: https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
pull/390/head
Alexandre Dulaunoy 2019-04-27 09:33:55 +02:00
parent 094f0e0684
commit 2405f1c59e
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
clusters/tool.json
View File

@ -7640,7 +7640,27 @@
},
"uuid": "a9fc6d3d-09d5-45c3-a91e-e8c61ef37908",
"value": "Karkoff"
},
{
"description": "We conclude that this RAT/stealeris efficient and was also really interesting to analyse.Furthermore, the creator made effortsto look Korean, for example the author of the .pdf file is Kim Song Chol. He is the brother of Kim Jong-un, the leader of North Korea. We identified that the author of a variant of this stealer is another brother of Kim Jong-un. Maybe the author named every variant withthe name of each brother. After some searches using Google, we identified anold variant of this malware here: http://contagiodump.blogspot.ca/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html. The code of the malware available on the blog is closeto our case but with fewer features. In 2010, the password of the Gmail account was futurekimkim. Three years ago, the author was already fixatedon the Kim family...The language of the resource stored in the .dll file is Korean (LANG_KOREAN). The owner of the gmail mailbox is laoshi135.zhangand the secret question of this account is in Korean too.We dont know if the malware truly comesfrom Korea.However, thanks to these factors, we decided to name this sample KimJongRAT/Stealer.",
"meta": {
"refs": [
"https://malware.lu/assets/files/articles/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf"
]
},
"uuid": "3160f772-d458-4bff-970c-1c0431238803",
"value": "KimJongRAT"
},
{
"description": "Based on our research, it appears the malware author calls the encoded secondary payload “Cowboy” regardless of what malware family is delivered.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/"
]
},
"uuid": "50baa4dc-0667-4b47-b4aa-374a2743f409",
"value": "Cowboy"
}
],
"version": 117
"version": 118
}