Home Malware Programs Backdoors KARAE

KARAE

Posted: October 16, 2019

KARAE is a backdoor Trojan that can drop other threats onto your system, as well as download or upload files. Its presence is highly indicative of an attack by APT37, a supposedly North Korea-sponsored threat actor that conducts espionage campaigns. Users can defend themselves by having appropriate anti-malware services for removing KARAE and track any phishing messages, such as corrupted e-mails.

The Door that a Korean Trojan Opens for the Rest of Them

Although KARAE isn't the current delivery option of choice for its previously-regional threat actor, its payloads aren't impotent for its hibernation, and its place in history remains worthy of a lengthy footnote in Korean cyber-espionage history. As the once-preferred choice for dropping other threats onto compromised PCs, KARAE exemplifies the typical first-stage infections for both APT37 – its only known administrators – and similar, state-level campaigns.

KARAE is capable of a modest handful of attacks, limiting its scope for evasion and efficiency purposes. The contents of its payload include:

  • KARAE may download files onto your computer, including tools and programs useful to the attacker.
  • KARAE also may upload files from your computer to the attacker's server (usually, a cloud-based C&C that abuses public storage services), such as ones containing passwords or other, confidential information.
  • KARAE also possesses system data-harvesting functions that take note of environmental details, such as the OS version, and relay the intelligence to the attacker.

KARAE's use, generally, involves using social media or other social engineering-based methods of having the victims compromise their computers, which provokes the undetected installation of KARAE. KARAE performs its system reconnaissance before dropping a second-stage threat, such as another backdoor Trojan, RAT, or spyware with more fully-fleshed-out features than KARAE's limited payload.

One example of social engineering at work in KARAE's deployments involves the use of a fake Youtube video downloader. While this choice isn't traditional for a state-sponsored operation, it does show how APT37 uses KARAE with a close eye on psychological manipulation and demographics-targeting techniques for maximizing their infection rates. While this example is from 2016, and KARAE has been set aside since that time, the threat actor may 'dust off' their old Trojan and redeploy it, as appropriate for their interests.

The Dangers of a Door Left Open Too Widely

KARAE's distribution is likely to come through torrents or well-crafted phishing e-mails equally, both of which can use content that's of interest to the target demographic. Since KARAE is a 'delivery man' for other Trojans, such as SHUTTERSPEED, users should react quickly and cut KARAE off from any network access. Related threats may conduct attacks such as keylogging, screen capturing, and other functions that are pertinent to espionage, or even wiping the system and destroying it.

KARAE is a Windows Trojan and offers no noticeable symptoms, in terms of visual evidence, for its victims. Users can identify infections through automated security solutions and implement appropriate network security practices for keeping them from gaining access to other PCs. Significantly, while its threat actor's historical focus is on South Korean campaigns, current activity implies more extensive interests throughout the world, such as Europe and North America. Consequentially, any Windows computer could be at risk.

Have your anti-malware services remove KARAE on sight while remaining alert for related threats, such as SHUTTERSPEED, WINERACK, and ZUMKONG.

What's most important about KARAE isn't in its code, but its history. Hackers who 'hack' the human mind as a matter of routine are criminals everyone should regard with healthy caution since psychological weaknesses aren't as patchable as software.

Loading...