Attacks/Breaches
8/8/2017
06:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Konni Malware Campaign Targets North Korean Organizations

For at least three years, an unknown threat actor has used the RAT to steal data and profile organizations in North Korea.

An unknown threat actor has been quietly carrying out intermittent cyber campaigns against North Korean organizations for at least the last three years using a relatively unsophisticated but constantly evolving Remote Access Trojan.

Security researchers have so far counted three separate campaigns in 2017 in which the so-called Konni Trojan has been used against North Korean targets.

The most recent was in July in the immediate aftermath of news that the North Korean government had successfully tested an Intercontinental Ballistic Missile supposedly capable of reaching US targets. In all, there have been at least five separate Konni campaigns directed at targets in the reclusive country over the past few years.

Cylance, the latest security vendor to analyze the malware, this week said the motivations behind the Konni campaigns remain unclear, but could be related to hacktivism. 

Cylance's recent analysis of a Konni sample suggests that the malware may have links to 2014's DarkHotel APT campaign for stealing data from business travelers at luxury hotels, Cylance noted in a blog this week.

Kaspersky Lab, which was the first to uncover the DarkHotel malware campaign, had at the time said that evidence pointed to the authors as being possibly of Korean origin. Some researchers had at the time said the signs pointed more specifically to the campaign originating in South Korea.

"[Konni] essentially is a still evolving, full-featured RAT," says Kevin Finnigin, manager of threat guidance at Cylance. The company's analysis suggests that additional capabilities are probably under development, he says.

Cylance said its analysis showed Konni to be a uniquely crafted RAT that combines some basic anti-detection techniques with social engineering and intelligence harvesting capabilities. The malware has typically been distributed via phishing emails and includes a decoy document—usually with content pertaining to some North Korean-related news event—which when opened executes the malware on a victim machine.

"The malware runs in the background and there is no visual cue for the user that opened the malware that it did anything other than open the decoy document," Finnigin says.

In the meantime, the malware is busy profiling a victim organization's network and connected systems using host enumeration, screenshots, keystroke logging and other measures. The data that the malware gathers is then used to launch specific attacks against targeted organizations.

Cisco's Talos security group, which profiled the Konni campaign on two separate occasions earlier this year, has described the malware as rapidly evolving. In a blog back in May, Talos said that its analysis of Konni's decoy documents suggested that the targets were mainly public organizations and embassies linked to North Korea.

In the three years that Konni has been around the malware has improved in multiple ways, Talos has noted. For instance, the malware started off purely as an information stealer but quickly morphed into a RAT. Konni has also evolved from a single file malware to one with dual files—an executable and a dynamic library, Talos has noted.

In addition, Konni's authors have improved the malware's instruction handling capabilities. The actions it can take now include file deletion and exfiltration, the ability to take screenshots and upload them to a command and control server, the ability to get information for profiling systems and the ability to execute remote commands

New versions of the malware have also been designed to search for files generated by previous versions of Konni suggesting that the malware has been repeatedly used against the same targets, Talos has observed. The authors of the malware have recently introduced a 64-bit version and have begun using a packer to make analysis harder, Talos security researchers had noted in their second Konni blog in July this year.

Despite the improvements, Konni still appears to be relatively easy to reverse engineer, so its capabilities can be traced back to source code. "Other RATS and bots [such as] Zeus and Dridex are heavily obfuscated and employ many techniques to hinder analysis," Finnigin says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.