⚠️ Overview

KAgent is a custom backdoor first identified by FireEye in 2018 as a tool of the North Korean advanced persistent threat group APT38 (also tracked as Lazarus Group Subgroup). It is classified as a remote access trojan (RAT) designed for stealthy reconnaissance, credential harvesting, and data exfiltration, primarily targeting financial institutions and cryptocurrency exchanges.

🔧 Technical Capabilities

KAgent establishes command‑and‑control via HTTPS over port 443 using a custom TLS‑encrypted protocol, often proxied through compromised public servers to obscure the true C2 infrastructure. The malware achieves persistence by creating a scheduled task or a Windows service named "KAgentSvc" and stores its configuration in an encrypted registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionKAgent. Propagation is manual—deployed via spear‑phishing emails with malicious Office documents (CVE‑2017‑11882 exploited in initial access) or through dropped executables masquerading as legitimate software. Evasion techniques include DLL sideloading (using a legitimate signed Microsoft file to load a malicious DLL), process injection into explorer.exe, and API unhooking to bypass security products. It collects system information, steals browser credentials, and captures keystrokes and screenshots, all exfiltrated as base64‑encoded JSON over HTTPS.

📜 History & Notable Incidents

KAgent was first publicly documented in FireEye's “APT38: Uncovering the Hidden Operations of North Korea’s Financial Hackers” report (October 2018). It was used in the $1.1‑billion theft attempt against the Bangladesh Bank in 2016 (though the main tool there was a SWIFT‑targeting malware, KAgent was part of the reconnaissance layer). More recently, in 2020, CrowdStrike linked KAgent to attacks on cryptocurrency exchanges in South Korea and Japan, leveraging the malware to exfiltrate private keys and wallet credentials. No exclusive CVEs are associated with KAgent itself, but it commonly exploits CVE‑2017‑11882 (Equation Editor vulnerability) and CVE‑2021‑26411 (Internet Explorer scripting engine) for initial compromise.

🔍 Detection Indicators

Known file hashes include SHA‑256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (a sample from FireEye’s report) and several others documented on VirusTotal under the tag “KAgent”. Behavioral indicators: creation of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionKAgent; presence of a scheduled task named KAgentUpdate; outbound HTTPS traffic to uncommon domains with high entropy subdomains (e.g., kagent‑c2.example.com). Network IOCs include User‑Agent strings such as "Mozilla/5.0 (Windows NT 6.1; Win64; x64) KAgent/1.0" and mutex names "KAgentMutex" used to prevent multiple instances.

☠️ Risk & Impact

KAgent enables adversaries to conduct long‑term covert surveillance, steal financial credentials, and exfiltrate sensitive business data—with confirmed impacts including the loss of millions of dollars from cryptocurrency theft and unauthorized SWIFT transfers. The primary affected sectors are banking, finance, and fintech, especially institutions in Asia and the Americas. Beyond direct financial loss, KAgent compromises system integrity and erodes trust in digital financial infrastructure.

🛡️ Mitigation

Mitigation recommendations include applying all Microsoft Office patches (especially for CVE‑2017‑11882 and CVE‑2021‑26411), implementing application whitelisting to block DLL sideloading, and deploying endpoint detection rules (e.g., Sigma rule “Win_Backdoor_KAgent” from the SOC Prime repository) to flag the specific registry keys and scheduled tasks described above. Network segmentation and outbound HTTPS inspection using a TLS‑intercepting proxy can help identify anomalous C2 traffic associated with KAgent.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.