The Konni APT ran a multi-stage campaign using spear-phishing archives that delivered malicious LNK files to install AutoIt-based RATs (EndRAT, RftRAT, RemcosRAT), maintain long-term persistence, and steal internal documents. The actor also abused compromised KakaoTalk PC sessions to redistribute malicious files to selected contacts, highlighting the need for EDR-centered, behavior-based detection and response. #Konni #KakaoTalk
Keypoints
- Initial access was achieved via a spear-phishing email disguised as a notice appointing the recipient as a North Korean human rights lecturer.
- Execution of a malicious LNK shortcut triggered a PowerShell-based dropper that decoded an embedded payload, downloaded additional files from a C2, and launched an AutoIt executable.
- The attacker established long-term persistence using scheduled tasks, Startup registrations, and hidden AutoIt components while collecting internal documents and system information.
- Compromised KakaoTalk PC sessions were abused to selectively redistribute malicious files to contacts, enabling trust-based secondary propagation.
- The campaign deployed multiple RAT families sequentially (EndRAT, RftRAT, RemcosRAT) with distributed C2 infrastructure across multiple countries.
- Detection and response require EDR-centered, behavior-based correlation (e.g., LNK execution → PowerShell → scheduled tasks → C2 comms) rather than solely IoC or signature blocking.
MITRE Techniques
- [T1071.001 ] Initial Access – Spear-phishing archive delivered a malicious LNK file to induce execution and download follow-on payloads. (‘spear-phishing email disguised as a notice appointing the recipient as a North Korean human rights lecturer’)
- [T1053.005 ] Persistence – Scheduled tasks were created to run AutoIt payloads at minute-level intervals to maintain long-term presence. (‘creates a Scheduled Task configured to start one minute after the current time and repeat every minute thereafter’)
- [T1005 ] Collection – Internal documents, user account information, and system environment data were collected from infected hosts. (‘collecting internal documents, user account information, and system environment data’)
- [T1041 ] Exfiltration Over Command and Control Channel – Collected data was encoded/encrypted and transmitted to external C2 servers over the established RAT channels. (‘collected data is believed to have been encrypted or encoded before being transmitted to an external server’)
- [T1071 ] Command and Control – RATs established socket-based C2 sessions (EndRAT custom socket protocol and other RAT C2 connections) to receive commands and transfer files. (‘creates a TCP socket and attempts to connect to a hardcoded server’)
Indicators of Compromise
- [domain ] C2 domain used to host payloads and downloads – drfeysal[.]com
- [ip address ] C2/IP infrastructure observed for RAT communication and payload delivery – 185.21.14[.]249, 157.180.88[.]26 (and 3 more IPs: 96.62.214[.]5, 178.16.54[.]208)
- [file hash ] Malware/sample hashes observed in the campaign – 148405ff05bf15a6a053e4e7c1795d40, 2e1b0ac49313873a0e0b982c591a5264 (and 5 more hashes)
- [file name ] Malicious filenames and artifacts dropped or executed on hosts – AutoIt3.exe, APDNHFU.pdf (disguised A3X AutoIt payload), Start_Web.lnk (and SVC_Init.lnk)