Threat Research

North Korea Hacking Group Konni Malicious Code – 2024 Year-End Tax Settlement Notice_Sehan.docx (2025.2.28)

iocOne
North Korea Hacking Group Konni Malicious Code – 2024 Year-End Tax Settlement Notice_Sehan.docx (2025.2.28)

This article discusses a malware created by the North Korean hacking group Konni, titled “2024 Year-End Settlement Guide_Sehan.docx”. It provides an in-depth analysis of the malware’s functionality, including its PowerShell code and its malicious behavior. The article outlines how the malware executes, encrypts data, and manages to upload sensitive information to a command and control server while also deleting evidence of its presence. Affected: North Korean hacking group, organizations targeted by the malware

Keypoints :

  • The malware is linked to the North Korean hacking group Konni.
  • The file name of the malware is “2024 Year-End Settlement Guide_Sehan.docx”.
  • The malware size is approximately 2 MB.
  • It implements complex PowerShell commands to execute malicious activities.
  • The malware searches for specific executable files to leverage for its operations.
  • It employs XOR decryption to execute malware payloads and gather sensitive user data.
  • Data collected from user directories is uploaded to an external server.
  • Upon success, the malware deletes itself to cover tracks.
  • Additional malicious files are created as part of the infection chain.
  • The malware aims to obfuscate its actions and evade detection.

MITRE Techniques :

  • TA0001 – Initial Access: The malware uses phishing tactics through a malicious document.
  • TA0002 – Execution: Executes PowerShell commands for later stages in the malware life-cycle.
  • TA0003 – Persistence: The malware maintains persistence by creating additional batch and PowerShell scripts.
  • TA0005 – Credential Access: Gathers information from user folders and uploads it to a command and control server.
  • TA0006 – Exfiltration: Data is exfiltrated via HTTP POST requests to an external server.
  • TA0009 – Collection: Collects sensitive files from user directories such as Downloads, Documents, and Desktop.

Indicator of Compromise :

  • [File Name] 2024 Year-End Settlement Guide_Sehan.docx.lnk
  • [MD5] a2785ec65622217be80174b887b1eb06
  • [SHA-1] 5820e221437e87d6663adaddedb05bb5566be3da
  • [SHA-256] b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543
  • [URL] hxxps://www.acschoolcatering.com/libraries/src/inc/get.php?ra=iew&zw=lk0100

Full Story: https://wezard4u.tistory.com/429425

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint