Friend
Professional
- Messages
- 2,653
- Reaction score
- 847
- Points
- 113
CURKON shows a sophisticated way to infect computers.
In April, S2W discovered a new piece of malware masquerading as tax evasion documents that end up delivering the Lilith RAT Trojan to your computer.
The malicious code (dubbed CURKON) hidden in the LNK file downloads a fake document when it is run and downloads additional files from the C2 server, which will eventually activate the Lilith RAT Trojan. The Trojan is written in the AutoIt language and allows remote control of the infected system.
Although the use of the Lilith RAT was previously attributed to the North Korean KONNI group, TALON noted the differences in functionality and suggested that the attack was orchestrated by a new group called puNK-003. An interesting point is that both groups used the same methods to download files from the hijacked WordPress servers, which confirms the connection between the two.
The malware used by puNK-003 was created based on pre-existing code and rewritten using AutoIt. This fact may indicate that both groups may have used the same tools to transform the code or even used AI to create their scripts. Experts warn that when working with files received from external sources, you should be especially careful and check their type before launching.
Source
In April, S2W discovered a new piece of malware masquerading as tax evasion documents that end up delivering the Lilith RAT Trojan to your computer.
The malicious code (dubbed CURKON) hidden in the LNK file downloads a fake document when it is run and downloads additional files from the C2 server, which will eventually activate the Lilith RAT Trojan. The Trojan is written in the AutoIt language and allows remote control of the infected system.
Although the use of the Lilith RAT was previously attributed to the North Korean KONNI group, TALON noted the differences in functionality and suggested that the attack was orchestrated by a new group called puNK-003. An interesting point is that both groups used the same methods to download files from the hijacked WordPress servers, which confirms the connection between the two.
The malware used by puNK-003 was created based on pre-existing code and rewritten using AutoIt. This fact may indicate that both groups may have used the same tools to transform the code or even used AI to create their scripts. Experts warn that when working with files received from external sources, you should be especially careful and check their type before launching.
Source
