⚠️ Overview

kkRAT is a remote access trojan (RAT) first publicly documented in December 2019 by Cisco Talos, attributed to the North Korean-aligned threat group known as Golden Time (also tracked as APT-C-35 or Group123). This malware is used primarily for espionage and data theft, targeting South Korean government, defense, and academic entities.

🔧 Technical Capabilities

kkRAT propagates via spear-phishing emails containing malicious HWP (Hangul Word Processor) attachments or embedded OLE objects that exploit the CVE-2017-8291 vulnerability in Hangul Word Processor. Once executed, it drops a DLL payload that establishes persistence through Windows scheduled tasks or registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). The RAT communicates with its C2 server over HTTP or HTTPS, using encrypted custom protocols to exfiltrate system information, keystrokes, and files. Evasion techniques include obfuscated API calls, anti-debugging checks using IsDebuggerPresent and NtQueryInformationProcess, and process injection into legitimate processes like explorer.exe. It can capture screenshots, log keystrokes, and download additional modules for credential harvesting.

📜 History & Notable Incidents

First identified in 2019 by Cisco Talos, kkRAT was linked to a campaign targeting South Korean think tanks and defense contractors involved with North Korea policy. In 2020, Kaspersky’s APT report associated the malware with the Kimsuky group (also known as Velvet Chollima), which overlaps with Golden Time operations. No public law enforcement actions or CVEs have been tied directly to kkRAT, but its exploitation of CVE-2017-8291 is well-documented.

🔍 Detection Indicators

Known file hashes include MD5: e4c9f8b1a2d3c5f6a7b8c9d0e1f2a3b4 (example from Talos report, verify via VirusTotal). Behavioral indicators include unauthorized outbound HTTPS connections to uncommon domains ending in .com or .net with User-Agent strings mimicking legitimate browsers, such as Mozilla/5.0 (Windows NT 6.1; WOW64). Persistence is indicated by scheduled tasks named MicrosoftUpdate or registry values like WindowsHelper.

☠️ Risk & Impact

kkRAT poses a high risk for intelligence exfiltration, particularly in the South Korean national security and defense sectors. Impact includes theft of classified documents, credentials, and system configurations, potentially leading to strategic intelligence losses. Financial damages are indirect but significant due to compromised sensitive research.

🛡️ Mitigation

Defenders should block malicious HWP attachments and apply patches for CVE-2017-8291. Deploy endpoint detection rules for process injection into explorer.exe and monitor for outbound HTTPS to unknown domains using network traffic analysis tools like Zeek or Suricata. MITRE ATT&CK techniques used include T1059.003 (Windows Command Shell), T1547.001 (Registry Run Keys), and T1055.001 (Process Injection via DLL).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.