North Korean cyber actors have recently unveiled a sophisticated Remote Access Trojan (RAT) aimed specifically at human rights defenders (HRDs) both within South Korea and internationally. This new malware, known as “EndClient RAT,” has been able to circumvent antivirus software and Windows SmartScreen protections by utilizing stolen code-signing certificates.
The emergence of EndClient RAT was uncovered during a collaborative investigation with PSCORE, a prominent NGO dedicated to advocating for North Korean human rights. This incident serves as a stark reminder of the ongoing threats posed by state-sponsored cyber actors against civil society, emphasizing the critical need for proactive sharing of threat intelligence.
EndClient RAT Abuses Stolen Code-Signing Certificate to Evade Antivirus Detection
The delivery mechanism for the EndClient RAT involves a Microsoft Installer (MSI) package titled “StressClear.msi,” which is code-signed by Chengdu Huifenghe Science and Technology Co Ltd, a Chinese mineral excavation firm. This certificate, valid until October 2025, is believed to have been stolen, allowing the malware to masquerade as legitimate software, thereby evading detection by antivirus solutions and avoiding Windows SmartScreen alerts.
In a clever tactic, the MSI package also includes a legitimate South Korean banking software module, WIZVERA VeraPort’s Delphino package, which may serve as a distraction to further reduce suspicion among users.
Upon execution, the malware deploys an AutoIT-based payload and establishes persistence by creating a scheduled task that runs every minute from the PublicMusic directory. To prevent multiple instances from running simultaneously, the RAT employs a global mutex (GlobalAB732E15-D8DD-87A1-7464-CE6698819E701) and utilizes polymorphic mutation techniques if Avast antivirus is detected. Notably, the prevalence of Avast in Korea is low, suggesting that the attackers may be repurposing code from previous campaigns.
Technical Details and Command-and-Control Protocol
The EndClient RAT maintains communication with its command-and-control (C2) server located at 116[.]202[.]99[.]218:443 through a custom protocol featuring sentinel-based framing. The client transmits system information in JSON format, tagged with “endClient9688,” while receiving commands marked with “endServer9688.” This protocol facilitates various functionalities typical of RATs, including remote shell execution and file upload/download capabilities, albeit limited to 30MB.
For remote shell communication, the malware establishes four named pipes and employs in-memory modules for handling protocol markers, Base64 encoding/decoding, and LZMA decompression. The detection rates for EndClient RAT are alarmingly low, with only 7 out of 64 detections on the dropper and a mere 1 out of 64 on the payload script. The use of AutoIT, a favored tool among North Korean threat actors, adds another layer of complexity to detection efforts, as compiled AutoIT scripts present challenges for antivirus solutions.
Organizations and individuals are advised to block the identified indicators of compromise (IOCs), search for the unique protocol markers (“endClient9688,” “endServer9688”), and monitor for artifacts related to scheduled tasks and mutex usage. It is prudent to regard signed MSIs as untrusted until their origins can be verified.
The discovery of EndClient RAT highlights the necessity for democratic threat intelligence and the collaboration between civil society and technical researchers to safeguard vulnerable communities against increasingly sophisticated cyber threats.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
