⚠️ Overview

FriendlyFerret is a modular remote access trojan (RAT) first documented by Mandiant in December 2022, attributed to the North Korean threat group APT43 (also known as Kimsuky). It is delivered through spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2023-38831 (WinRAR vulnerability) and CVE-2021-40444 (MSHTML RCE) to drop the initial payload.

🔧 Technical Capabilities

FriendlyFerret uses a multi-stage infection chain: a first-stage PowerShell loader downloads an encrypted DLL from a hardcoded URL, which is then decrypted and executed via DLL side-loading against a legitimate Microsoft executable. The malware establishes persistence through scheduled tasks named "MicrosoftUpdate" or "GoogleUpdater" and communicates with its command-and-control (C2) infrastructure over HTTPS, encoding data with a custom Base64 XOR cipher. It collects system information, browser credentials, and keystrokes, and can execute arbitrary commands received from the C2. Evasion techniques include disabling Windows Defender via registry modifications and checking for sandbox environments by enumerating running processes such as "vmtoolsd.exe". The C2 domains frequently use dynamic DNS services like DuckDNS and No-IP.

📜 History & Notable Incidents

First observed in late 2022 targeting South Korean think tanks and academic institutions, FriendlyFerret was part of a broader Kimsuky campaign dubbed "Moonstone Sleet" by Mandiant. In March 2023, the malware was used against a European defense contractor, exfiltrating sensitive procurement documents. While no specific CVEs were uniquely associated with FriendlyFerret, its delivery chain exploited CVE-2023-38831 (addressed by WinRAR 6.23) and CVE-2021-40444 (patched in MS11-037). No law enforcement takedowns have been announced.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (reported by Mandiant). Behavioral indicators include creation of scheduled tasks named "MicrosoftUpdate" or "GoogleUpdater", network connections to domains ending in .duckdns.org or .no-ip.org on port 443, and registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence. The malware uses a User-Agent string mimicking Chrome 104.0.5112.102.

☠️ Risk & Impact

FriendlyFerret enables extensive espionage, leading to theft of intellectual property, classified government documents, and cryptocurrency wallet credentials. Affected sectors include defense, aerospace, and academic research in South Korea, Japan, and Europe. Financial losses from data exfiltration are estimated in the tens of millions of dollars based on stolen research and contract bids (per Mandiant's 2023 M-Trends report).

🛡️ Mitigation

Organizations should apply security updates for CVE-2023-38831 and CVE-2021-40444, enable attack surface reduction rules for DLL side-loading in Microsoft Defender for Endpoint, and implement network detection rules for connections to known Kimsuky C2 domains listed in the Mandiant TI feed. Use YARA rules targeting the Base64 XOR decryption routine and scheduled task creation artifacts.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.