New Kimsuky Malware "EndClient RAT": Technical Report and IOCs

Description

A novel Remote Access Trojan (RAT) called 'EndClient RAT' has been discovered targeting North Korean Human Rights Defenders. The malware, attributed to the Kimsuky group, is delivered via a signed Microsoft Installer package disguised as 'StressClear.msi'. It uses AutoIT scripts for execution and establishes persistence through scheduled tasks and startup folder entries. The RAT communicates with a command and control server using a custom protocol with JSON markers. It has capabilities for remote shell access, file upload/download, and system information gathering. The malware employs in-memory modules for binary search, Base64 encoding/decoding, and LZMA decompression. Detection rates for this malware are currently low, making public disclosure crucial for protecting affected communities.