For at least three years, an unknown threat actor has used the RAT to steal data and profile organizations in North Korea.

4 Min Read

An unknown threat actor has been quietly carrying out intermittent cyber campaigns against North Korean organizations for at least the last three years using a relatively unsophisticated but constantly evolving Remote Access Trojan.

Security researchers have so far counted three separate campaigns in 2017 in which the so-called Konni Trojan has been used against North Korean targets.

The most recent was in July in the immediate aftermath of news that the North Korean government had successfully tested an Intercontinental Ballistic Missile supposedly capable of reaching US targets. In all, there have been at least five separate Konni campaigns directed at targets in the reclusive country over the past few years.

Cylance, the latest security vendor to analyze the malware, this week said the motivations behind the Konni campaigns remain unclear, but could be related to hacktivism. 

Cylance's recent analysis of a Konni sample suggests that the malware may have links to 2014's DarkHotel APT campaign for stealing data from business travelers at luxury hotels, Cylance noted in a blog this week.

Kaspersky Lab, which was the first to uncover the DarkHotel malware campaign, had at the time said that evidence pointed to the authors as being possibly of Korean origin. Some researchers had at the time said the signs pointed more specifically to the campaign originating in South Korea.

"[Konni] essentially is a still evolving, full-featured RAT," says Kevin Finnigin, manager of threat guidance at Cylance. The company's analysis suggests that additional capabilities are probably under development, he says.

Cylance said its analysis showed Konni to be a uniquely crafted RAT that combines some basic anti-detection techniques with social engineering and intelligence harvesting capabilities. The malware has typically been distributed via phishing emails and includes a decoy document—usually with content pertaining to some North Korean-related news event—which when opened executes the malware on a victim machine.

"The malware runs in the background and there is no visual cue for the user that opened the malware that it did anything other than open the decoy document," Finnigin says.

In the meantime, the malware is busy profiling a victim organization's network and connected systems using host enumeration, screenshots, keystroke logging and other measures. The data that the malware gathers is then used to launch specific attacks against targeted organizations.

Cisco's Talos security group, which profiled the Konni campaign on two separate occasions earlier this year, has described the malware as rapidly evolving. In a blog back in May, Talos said that its analysis of Konni's decoy documents suggested that the targets were mainly public organizations and embassies linked to North Korea.

In the three years that Konni has been around the malware has improved in multiple ways, Talos has noted. For instance, the malware started off purely as an information stealer but quickly morphed into a RAT. Konni has also evolved from a single file malware to one with dual files—an executable and a dynamic library, Talos has noted.

In addition, Konni's authors have improved the malware's instruction handling capabilities. The actions it can take now include file deletion and exfiltration, the ability to take screenshots and upload them to a command and control server, the ability to get information for profiling systems and the ability to execute remote commands

New versions of the malware have also been designed to search for files generated by previous versions of Konni suggesting that the malware has been repeatedly used against the same targets, Talos has observed. The authors of the malware have recently introduced a 64-bit version and have begun using a packer to make analysis harder, Talos security researchers had noted in their second Konni blog in July this year.

Despite the improvements, Konni still appears to be relatively easy to reverse engineer, so its capabilities can be traced back to source code. "Other RATS and bots [such as] Zeus and Dridex are heavily obfuscated and employ many techniques to hinder analysis," Finnigin says.

Related Content:

 

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights