The KimJong malware is a RAT (Remote Access Trojan) that is likely to originate From North Korea The KimJong malware has been involved in similar campaigns of another threat that is likely North Korean – the BabyShark malware. The BabyShark malware targeted entities, which were linked to the proposed denuclearization of North Korea. It was discovered that many of the systems infected with the BabyShark malware also were infiltrated by the KimJongRAT. When these campaigns were further studied, malware experts found out that the two threats worked in unison – the BabyShark malware allowed the KimJongRAT to gain access to the compromised systems. Having in mind the political nature of the targets, it is easy to speculate that the attackers may be linked to the North Korean government in some way.
It would seem that the authors of the KimJongRAT did not take advantage of all the capabilities of this high-end malware, which could have granted them with almost unlimited control over the compromised machine. Instead, the attackers have chosen only to collect login credentials and some other data. The data gathered would be stored in a file called 'ttmp.log,' which is another stark similarity to the aforementioned BabyShark malware, which also stores its collected data in a 'ttmp.log' file.
The KimJongRAT has been programmed to siphon data from popular Web browsers such as Google Chrome, Mozilla Firefox, Internet Explorer and Yandex Browser. This threat also targets several Web pages and online services – Facebook, Google, Yahoo, Mozilla Thunderbird and Microsoft Outlook.
It is likely that the full capabilities of the KimJongRAT are not employed because these initial campaigns only serve to monitor the victims with the end goal of collecting data, which would then help the attackers craft more believable spear-phishing email campaigns for much more damaging future operations.