Attacks/Breaches

8/8/2017
06:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Konni Malware Campaign Targets North Korean Organizations

For at least three years, an unknown threat actor has used the RAT to steal data and profile organizations in North Korea.

An unknown threat actor has been quietly carrying out intermittent cyber campaigns against North Korean organizations for at least the last three years using a relatively unsophisticated but constantly evolving Remote Access Trojan.

Security researchers have so far counted three separate campaigns in 2017 in which the so-called Konni Trojan has been used against North Korean targets.

The most recent was in July in the immediate aftermath of news that the North Korean government had successfully tested an Intercontinental Ballistic Missile supposedly capable of reaching US targets. In all, there have been at least five separate Konni campaigns directed at targets in the reclusive country over the past few years.

Cylance, the latest security vendor to analyze the malware, this week said the motivations behind the Konni campaigns remain unclear, but could be related to hacktivism. 

Cylance's recent analysis of a Konni sample suggests that the malware may have links to 2014's DarkHotel APT campaign for stealing data from business travelers at luxury hotels, Cylance noted in a blog this week.

Kaspersky Lab, which was the first to uncover the DarkHotel malware campaign, had at the time said that evidence pointed to the authors as being possibly of Korean origin. Some researchers had at the time said the signs pointed more specifically to the campaign originating in South Korea.

"[Konni] essentially is a still evolving, full-featured RAT," says Kevin Finnigin, manager of threat guidance at Cylance. The company's analysis suggests that additional capabilities are probably under development, he says.

Cylance said its analysis showed Konni to be a uniquely crafted RAT that combines some basic anti-detection techniques with social engineering and intelligence harvesting capabilities. The malware has typically been distributed via phishing emails and includes a decoy document—usually with content pertaining to some North Korean-related news event—which when opened executes the malware on a victim machine.

"The malware runs in the background and there is no visual cue for the user that opened the malware that it did anything other than open the decoy document," Finnigin says.

In the meantime, the malware is busy profiling a victim organization's network and connected systems using host enumeration, screenshots, keystroke logging and other measures. The data that the malware gathers is then used to launch specific attacks against targeted organizations.

Cisco's Talos security group, which profiled the Konni campaign on two separate occasions earlier this year, has described the malware as rapidly evolving. In a blog back in May, Talos said that its analysis of Konni's decoy documents suggested that the targets were mainly public organizations and embassies linked to North Korea.

In the three years that Konni has been around the malware has improved in multiple ways, Talos has noted. For instance, the malware started off purely as an information stealer but quickly morphed into a RAT. Konni has also evolved from a single file malware to one with dual files—an executable and a dynamic library, Talos has noted.

In addition, Konni's authors have improved the malware's instruction handling capabilities. The actions it can take now include file deletion and exfiltration, the ability to take screenshots and upload them to a command and control server, the ability to get information for profiling systems and the ability to execute remote commands

New versions of the malware have also been designed to search for files generated by previous versions of Konni suggesting that the malware has been repeatedly used against the same targets, Talos has observed. The authors of the malware have recently introduced a 64-bit version and have begun using a packer to make analysis harder, Talos security researchers had noted in their second Konni blog in July this year.

Despite the improvements, Konni still appears to be relatively easy to reverse engineer, so its capabilities can be traced back to source code. "Other RATS and bots [such as] Zeus and Dridex are heavily obfuscated and employ many techniques to hinder analysis," Finnigin says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14084
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for MKCB, an Ethereum token. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell().
CVE-2018-14085
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for UserWallet 0x0a7bca9FB7AfF26c6ED8029BB6f0F5D291587c42, an Ethereum token. First, suppose that the owner adds the evil contract address to his sweepers. The evil contract looks like this: contract Exploit { uint public start; function swe...
CVE-2018-14086
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for SingaporeCoinOrigin (SCO), an Ethereum token. The contract has an integer overflow. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell(...
CVE-2018-14087
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for EUC (EUC), an Ethereum token. The contract has an integer overflow. If the owner sets the value of buyPrice to a large number in setPrices() then the "msg.value * buyPrice" will cause an integer overflow in the fallback functio...
CVE-2018-14088
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for STeX White List (STE(WL)), an Ethereum token. The contract has an integer overflow. If the owner sets the value of amount to a large number then the "amount * 1000000000000000" will cause an integer overflow in withdrawToFounde...