Attacks/Breaches

8/8/2017
06:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Konni Malware Campaign Targets North Korean Organizations

For at least three years, an unknown threat actor has used the RAT to steal data and profile organizations in North Korea.

An unknown threat actor has been quietly carrying out intermittent cyber campaigns against North Korean organizations for at least the last three years using a relatively unsophisticated but constantly evolving Remote Access Trojan.

Security researchers have so far counted three separate campaigns in 2017 in which the so-called Konni Trojan has been used against North Korean targets.

The most recent was in July in the immediate aftermath of news that the North Korean government had successfully tested an Intercontinental Ballistic Missile supposedly capable of reaching US targets. In all, there have been at least five separate Konni campaigns directed at targets in the reclusive country over the past few years.

Cylance, the latest security vendor to analyze the malware, this week said the motivations behind the Konni campaigns remain unclear, but could be related to hacktivism. 

Cylance's recent analysis of a Konni sample suggests that the malware may have links to 2014's DarkHotel APT campaign for stealing data from business travelers at luxury hotels, Cylance noted in a blog this week.

Kaspersky Lab, which was the first to uncover the DarkHotel malware campaign, had at the time said that evidence pointed to the authors as being possibly of Korean origin. Some researchers had at the time said the signs pointed more specifically to the campaign originating in South Korea.

"[Konni] essentially is a still evolving, full-featured RAT," says Kevin Finnigin, manager of threat guidance at Cylance. The company's analysis suggests that additional capabilities are probably under development, he says.

Cylance said its analysis showed Konni to be a uniquely crafted RAT that combines some basic anti-detection techniques with social engineering and intelligence harvesting capabilities. The malware has typically been distributed via phishing emails and includes a decoy document—usually with content pertaining to some North Korean-related news event—which when opened executes the malware on a victim machine.

"The malware runs in the background and there is no visual cue for the user that opened the malware that it did anything other than open the decoy document," Finnigin says.

In the meantime, the malware is busy profiling a victim organization's network and connected systems using host enumeration, screenshots, keystroke logging and other measures. The data that the malware gathers is then used to launch specific attacks against targeted organizations.

Cisco's Talos security group, which profiled the Konni campaign on two separate occasions earlier this year, has described the malware as rapidly evolving. In a blog back in May, Talos said that its analysis of Konni's decoy documents suggested that the targets were mainly public organizations and embassies linked to North Korea.

In the three years that Konni has been around the malware has improved in multiple ways, Talos has noted. For instance, the malware started off purely as an information stealer but quickly morphed into a RAT. Konni has also evolved from a single file malware to one with dual files—an executable and a dynamic library, Talos has noted.

In addition, Konni's authors have improved the malware's instruction handling capabilities. The actions it can take now include file deletion and exfiltration, the ability to take screenshots and upload them to a command and control server, the ability to get information for profiling systems and the ability to execute remote commands

New versions of the malware have also been designed to search for files generated by previous versions of Konni suggesting that the malware has been repeatedly used against the same targets, Talos has observed. The authors of the malware have recently introduced a 64-bit version and have begun using a packer to make analysis harder, Talos security researchers had noted in their second Konni blog in July this year.

Despite the improvements, Konni still appears to be relatively easy to reverse engineer, so its capabilities can be traced back to source code. "Other RATS and bots [such as] Zeus and Dridex are heavily obfuscated and employ many techniques to hinder analysis," Finnigin says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.