RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf (2 MB)

Malware.lu CERT and itrust analyzed a suspicious PDF named “Draft response letter Slovenia.pdf” that they identify as KimJongRAT/Stealer after it was uploaded to malwr.com in May 2013. The document describes a PDF exploit that deploys sysninit.ocx and a launcher, with sections covering resource manipulation, file creation, .lnk persistence, display of a decoy PDF, and hidden initialization. The analysis also documents DLL injection into explorer.exe, an IAT hook of ntdll.ZwQueryDirectoryFile to hide files from Explorer, obfuscation, and VirtualBox detection. Command-and-control behavior is covered through first and second C&C sections, including a Gmail request creation figure, making the report useful for understanding early RAT deployment, stealth, and communications tradecraft.