The Konni APT campaign is described as delivering tax-notification themed phishing to gain access, using LNK shortcuts that invoke BAT/VBS scripts and AutoIt-based C2 payloads to evade detection. Key details include targets linked to North Korean interests and crypto traders, the use of legitimate-looking National Tax Service impersonations, and multiple IOCs and MITRE techniques observed.
#Konni #NationalTaxService #AutoIt #LNK #TaxEvasionReport #NorthKoreanAffairs
#Konni #NationalTaxService #AutoIt #LNK #TaxEvasionReport #NorthKoreanAffairs
Keypoints
- The Genians Security Center (GSC) reports ongoing Konni attacks disguised as financial income and tax audit notifications.
- Targets are primarily individuals involved in North Korean affairs and some personal cryptocurrency traders.
- The National Tax Service has issued warnings about hacking emails due to increasing cyber threats.
- Malicious files are typically invoked through LNK commands that lead to BAT or VBS scripts for actual attacks.
- Attackers impersonate the National Tax Service to deliver tax audit-related requests and trigger document downloads.
- LNK files download AutoIt-script payloads (.au3) and use AutoIt3.exe to execute commands, with multiple C2 domains observed.
- MITRE techniques identified include Phishing (T1566), Command and Control (T1071), Execution (T1203), and Defense Evasion (T1562).
MITRE Techniques
- [T1566] Phishing – Brief description of how it was used. Quote: ‘Procedure: Spear phishing emails are used to lure victims into opening malicious attachments.’
- [T1071] Command and Control – Brief description of how it was used. Quote: ‘Procedure: Malicious scripts communicate with remote servers for further instructions.’
- [T1203] Execution – Brief description of how it was used. Quote: ‘Procedure: Malicious files execute commands on the victim’s machine through LNK files.’
- [T1562] Defense Evasion – Brief description of how it was used. Quote: ‘Procedure: Techniques to avoid detection by antivirus software are employed.’
Indicators of Compromise
- [IP Address] C2 hosts used by the AutoIt C2 – 185.231.154.22, 62.113.118.157, and other IPs (e.g., 93.183.93.185) (Table 4)
- [Domain] C2 domains used by LNKs – cammirando.com, phasechangesolutions.com, and jethropc.com
- [Domain] Additional C2 domains referenced in LNK flows – cavasa.com.co, executivedaytona.com
- [File Name] Malicious LNK files named in campaigns – Tax Evasion Report Submission Request.hwp.lnk, Scholarship Application Form (Tax Evasion Report).hwp.lnk
- [Mutex] Mutex value observed in infections – RT3AN7C9QS-7UYE-9K6G-A8F1-HY8IT3CNMEQP
Read more: https://www.genians.co.kr/blog/threat_intelligence/autoit