sb-nz logo
Story image

KONNI Remote Access Trojan linked to attacks on North Korean affairs

10 Aug 2017

Researchers from security firm Cylance have linked a Remote Access Trojan (RAT) that is targeting North Korean affairs to the DarkHotel threat actors.

The RAT is a new variant of rampant malware KONNI. It was launched after North Korea conducted an intercontinental ballistic missile launch test on July 3.

Cylance followed up on groundwork research by TALOS, which found that the latest version of the Trojan used a news decoy document from an article by a Korean news agency.

It has been targeting North Korea since 2014 in four different attacks, mostly distributed by phishing campaigns, Cylance states.

The dropper included a 64 bit version of KONNI and a new command and control infrastructure through what looks like a legitimate climbing club website.

KONNI is able to act as a keylogger, clipboard stealer, web browser stealer and information stealer. It uses anti-analysis techniques, social engineering and intelligence gathering features.

Bitdefender also conducted research on malware campaign DarkHotel. The campaign used a hash of a malicious dropper, similar to what has featured in the KONNI dropper.

“It included SHA 1 hash (a6c7a7bcaabc3584b1fb4d6aeb66ec158b65d444) of a malicious dropper called ‘Pyongyang Directory Group email SEPTEMBER 2016 RC_OFFICE_Coordination_Associatewxcod.scr.’

On execution, the dropper launches a word document that is similar to the one used in campaign, ‘Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr.’

The format and properties of the documents are similar enough to suggest that there is a connection, Cylance claims.

 “The motivation behind these campaigns is uncertain, however it does appear to be geared towards espionage against targets who would be interested in North Korean affairs,” Cylance says in its blog.

The company believes that the basic features for a backdoor, including host profiling and remote access and control are present in the Trojan.

As such, there may be new variants of KONNI popping up in the coming months. Cylance predicts that the new variants will have better obfuscation and possibly include more capabilities.

Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
Singapore makes an example of remote working in APAC, but security concerns persist
Respondents are most concerned about WiFi networks (39%), cloud storage (38%), email (36%), new technologies like IoT and 5G (34%), and video conferencing platforms (31%).More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More
Story image
Bad Bots and DDoS fuel record cyber risk
"How many attackers are going to hide within this expected traffic spike?"More
Story image
Are you ready for a more privacy-focused New Zealand?
New Zealand’s new Privacy Act is now in effect, and there are significant changes that affect every organisation that operates in New Zealand.More
Story image
Trend Micro launches cloud native security solution for modern applications and APIs
“Application security is an invaluable part of the Cloud One platform, integrating technology to provide superior protection for customers deploying applications wherever it makes the most sense for them."More