Threat Research

Konni PowerShell Espionage via LNK Decoy

Securonix
Konni PowerShell Espionage via LNK Decoy

The article analyzes a Konni-attributed malicious shortcut named “국가안보연보고서2.hwp.lnk” that uses a hidden PowerShell command to locate a 2,116,116-byte container file, extract three hex-encoded payload segments, recreate three files (attach.hwp, heidi.db, heidisqls.exe), open the decoy HWP and execute the dropped EXE with the DB file as an argument. It documents the sample’s file hashes and disk IOCs and notes execution techniques (hidden window, ExecutionPolicy bypass) and a behavioral similarity to RoKRAT. #Konni #국가안보연보고서2

Keypoints

  • Sample masquerades as a legitimate research report LNK named 국가안보연보고서2.hwp.lnk and is attributed to the North Korean actor Konni.
  • PowerShell is executed with “-WindowStyle Hidden -ExecutionPolicy Bypass -Command …” to run the embedded script without visible UI and bypass execution policy.
  • The script searches %TEMP% and the current directory for a single file exactly 2,116,116 bytes in size to use as a container for embedded payloads.
  • The container is read as ASCII, split at markers NCFO/BCFO/SCFO/KCFO, and the three extracted hex strings are converted to binaries and written to disk.
  • Dropped files are C:UsersPublicattach.hwp (opened as a decoy), C:ProgramDataheidi.db and C:ProgramDataheidisqls.exe (executed with the DB as an argument), enabling hidden malicious activity while the user views the decoy document.
  • Provided IOCs include filenames, full file paths, and cryptographic hashes (MD5/SHA-1/SHA-256); the analyst suggests the behavior resembles RoKRAT.

MITRE Techniques

  • [T1059.001 ] PowerShell – Uses PowerShell to execute the payload script: [‘-WindowStyle Hidden -ExecutionPolicy Bypass -Command “…”]
  • [T1564.001 ] Hidden Window – Hides the console UI to avoid user detection: [‘console window hidden (-WindowStyle Hidden)’]
  • [T1204.002 ] User Execution: Malicious File – Relies on a user clicking a shortcut (LNK) to start the chain: [‘User clicks LNK (shortcut)’]
  • [T1083 ] File and Directory Discovery – Searches %TEMP% and current working directory for a file of a specific size: [‘Search locations: %TEMP% and current folder; condition: find one file exactly 2,116,116 bytes’]
  • [T1027 ] Obfuscated Files or Information – Encodes payloads as hex strings inside a container and decodes them to binaries: [‘Read sliced strings as hex and restore to binary’]
  • [T1105 ] Ingress Tool Transfer – Writes and drops multiple files to disk and executes the dropped executable with a local DB file as argument: [‘Start-Process “c:userspublicattach.hwp”; … c:programdataheidisqls.exe c:programdataheidi.db’]

Indicators of Compromise

  • [File Hashes ] sample hashes reported for the LNK payload – MD5: 6b5d31a3d90b764b78c9cdfac2656d5c, SHA-1: cb5db685f1f88ac1926ca493b13194de0f84d4a2, and SHA-256: b3096199a4e7ee7a51147d734fd107e2cf8fac01c4e642c9b35b7185957721b9
  • [Shortcut (LNK) ] lure filename used to trigger execution – 국가안보연보고서2.hwp.lnk (malicious shortcut that runs the hidden PowerShell)
  • [File Names/Paths ] dropped files and execution artifacts on disk – C:UsersPublicattach.hwp, C:ProgramDataheidisqls.exe, and 1 more file (C:ProgramDataheidi.db)
  • [File Size ] container file size used as payload carrier – container file exactly 2,116,116 bytes (used to locate embedded hex payloads)
  • [Command Line ] PowerShell execution parameters observed in the LNK – ‘-WindowStyle Hidden -ExecutionPolicy Bypass -Command “…”‘ (used to run extraction and drop routines)

Read more: https://wezard4u.tistory.com/429689