This application is a malicious 32-bit Windows executable file, which functions as a RAT. When executed, it de-obfuscates its application programming interfaces (APIs) and using port 443, attempts to connect to the hard-coded IP addresses listed below. After connecting, the malware waits for further instructions.
During the Command & Control server communication this is using XOR cryptographic algorithm to ensure the secure communication to receive the instructions.
This Trojan is capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.
It is distributing via a malicious 32-bit Windows executable file that acts as RAT to infiltrate the network and access the target network.
The Trojan has been categorised alongside a whole family of malware attributed to North Korea by the US government under the Hidden Cobra.
AR18-221A: MAR-10135536-17 – North Korean Trojan: KEYMARBLE https://t.co/aN3xKiwBZg
— US-CERT (@USCERT_gov) 9 August 2018
18.104.22.168 – Domain Name: KRYPT.COM
22.214.171.124 – Domain Name: SERVPAC.COM
126.96.36.199 – IP located in Israel
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.