Wednesday, April 24, 2024

North Korean Hacker Group Deliver KONNI Rat Malware Using Weaponized Office Document

The North Korean threat actors under the Kimsuky Umbrella are using a piece of malware which is called KONNI.

KONNI is a RAT (Remote Administration Tool) that is under the radar for nearly 8 years since its identification in 2014.

The owners of KONNI have been attacking political institutions in South Korea and Russia.

They distributed the malware by impersonating government software by sending emails from compromised accounts. It seems that they have also used the covid mandates to enhance their malware campaign.

On January 5th, A new campaign targeted the Russian Ministry of Foreign Affairs. They got access to one of the high-value networks through stolen credentials and exploited all the trusted connections.

Attack Process

They have been leveraging on Microsoft Office documents which involved a multi-stage attack.

Although they used these documents just to accomplish to escalate privileges and evade detection, their ultimate goal was to install KONNI rat on target systems.

The KONNI rat is a .dll file which is supported with a .ini file.

The .dll consists of the functionality whereas the .ini file specifies the address of the command and control server. The new variant is not much different from the previous version but has certain advancements.

Many of the remote administration tool malware use protection for their strings in order to bypass the basic string analysis. The strings that were used in the KONNI rat were using base64 encoding for obfuscation.

Now, they are using AES encryption with a custom alphabet that changes from time to time which takes more time to decode.

This is applied to files too. KONNI rat used a .dll file and a .ini file. These files are now encrypted with AES encryption making them difficult to analyze.

A full detailed analysis of the KONNI rat is published which gives a better understanding of the techniques and methods used.




Latest articles

Researchers Uncover that UK.GOV Websites Sending Data to Chinese Ad Vendor Analysts

Analysts from Silent Push, a data analytics firm, have uncovered several UK government websites...

Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members...

IBM Nearing Talks to Acquire Cloud-software Provider HashiCorp

IBM is reportedly close to finalizing negotiations to acquire HashiCorp, a prominent cloud infrastructure...

Rewards Up to $10 Million for Information on Iranian Hackers

The United States Justice Department has announced big rewards for information leading to the...

PoC Exploit Released For Critical Oracle VirtualBox Vulnerability

Oracle Virtualbox was identified and reported as having a critical vulnerability associated with Privilege...

Tracing the Steps of Cyber Intruders: The Path of Lateral Movement

When cyber attacks strike, it's rarely a single computer that suffers. Nowadays, cybercriminals set...

U.S. to Impose Visa Restrictions on 13 Individuals Involved in Commercial Spyware Operations

To combat the misuse of commercial spyware, the United States Department of State has...


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles