Saturday, December 14, 2024
HomeMalwareNorth Korean Hacker Group Deliver KONNI Rat Malware Using Weaponized Office Document

North Korean Hacker Group Deliver KONNI Rat Malware Using Weaponized Office Document

Published on

SIEM as a Service

The North Korean threat actors under the Kimsuky Umbrella are using a piece of malware which is called KONNI.

KONNI is a RAT (Remote Administration Tool) that is under the radar for nearly 8 years since its identification in 2014.

The owners of KONNI have been attacking political institutions in South Korea and Russia.

- Advertisement - SIEM as a Service

They distributed the malware by impersonating government software by sending emails from compromised accounts. It seems that they have also used the covid mandates to enhance their malware campaign.

On January 5th, A new campaign targeted the Russian Ministry of Foreign Affairs. They got access to one of the high-value networks through stolen credentials and exploited all the trusted connections.

Attack Process

They have been leveraging on Microsoft Office documents which involved a multi-stage attack.

Although they used these documents just to accomplish to escalate privileges and evade detection, their ultimate goal was to install KONNI rat on target systems.

The KONNI rat is a .dll file which is supported with a .ini file.

The .dll consists of the functionality whereas the .ini file specifies the address of the command and control server. The new variant is not much different from the previous version but has certain advancements.

Many of the remote administration tool malware use protection for their strings in order to bypass the basic string analysis. The strings that were used in the KONNI rat were using base64 encoding for obfuscation.

Now, they are using AES encryption with a custom alphabet that changes from time to time which takes more time to decode.

This is applied to files too. KONNI rat used a .dll file and a .ini file. These files are now encrypted with AES encryption making them difficult to analyze.

A full detailed analysis of the KONNI rat is published which gives a better understanding of the techniques and methods used.

IOCs

A3CD08AFD7317D1619FBA83C109F268B4B60429B4EB7C97FC274F92FF4FE17A2
F702DFDDBC5B4F1D5A5A9DB0A2C013900D30515E69A09420A7C3F6EAAC901B12

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices...

Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the...