A sophisticated Remote Access Trojan labeled EndClient RAT has emerged as a significant threat targeting human rights defenders in North Korea, marking another escalation in advanced malware operations attributed to the Kimsuky threat group.
This newly discovered malware represents a concerning shift in attack sophistication, utilizing stolen code-signing certificates to evade antivirus protections and bypass Windows SmartScreen warnings.
The threat was first identified when a prominent North Korean human rights activist reported suspicious activity on her compromised account, triggering a broader investigation that uncovered the campaign’s scope and technical capabilities.
The attack chain demonstrates meticulous social engineering tactics combined with legitimate-looking delivery mechanisms.
The malware arrives through a deceptively named Microsoft Installer package titled “StressClear.msi,” which had been code-signed using stolen credentials from Chengdu Huifenghe Science and Technology Co Ltd, a Chinese mineral excavation company.
The threat actors engaged in direct, methodical conversations with targeted individuals, instructing them to download and execute the MSI file.
This approach proved effective, with at least 40 confirmed targets identified across the human rights community, though the full scope of the campaign remains unknown due to minimal antivirus detection rates.
.webp "New EndClient RAT Attacking Users by Leveraging Stolen Code-Signing to Bypass AV Detections 3")
0x0v1 security analysts and researchers noted that the malware demonstrates a blend of genuine software components alongside malicious payloads, creating an intricate deception that complicates detection and analysis.
Upon execution, the MSI bundle installs a legitimate South Korean banking authentication module called Delfino from WIZVERA VeraPort, potentially serving as a decoy to establish legitimacy.
Concurrently, the installer deploys a heavily obfuscated AutoIT script wrapped within the genuine AutoIt3.exe binary, allowing the malware to execute in memory while maintaining a low profile against security tools.
The combination of trusted processes and stolen signatures essentially grants the malware unauthorized system access without triggering conventional security alerts.
Technical Persistence and Detection Evasion
The EndClient RAT employs multiple layers of persistence mechanisms designed to survive system reboots and resist removal attempts.
Once installed, the malware establishes persistence through a scheduled task named “IoKlTr” that executes every minute from the PublicMusic directory.
The malware creates a globally named mutex identifier (GlobalAB732E15-D8DD-87A1-7464-CE6698819E701) to prevent multiple instances from running simultaneously, preventing resource exhaustion that might trigger detection.
When the malware detects Avast antivirus presence, it generates polymorphic variations of itself by injecting garbage data and creating new filenames, demonstrating adaptive evasion capabilities.
The malware also registers a startup link that launches the malicious AutoIT payload during user login, ensuring consistent execution across restarts.
Communication with command-and-control infrastructure occurs through TCP socket connections using a custom protocol with JSON-based messaging framed by sentinel markers (“endClient9688” and “endServer9688”), allowing the malware to receive commands for shell execution, file downloads, and data exfiltration.
This technical architecture reveals sophisticated understanding of Windows internals and demonstrates how modern malware continues to abuse legitimate tools and signing mechanisms to bypass security defenses that organizations depend upon for protection.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
