Threat Research

Expansion Analysis Report of the Konni Threat Worldview

Genians-Korea

The article analyzes the Konni campaign linked to the Kimsuky cluster, highlighting how legitimate cloud and FTP services are used in a multi-stage infection chain that targets South Korea and Russian government agencies. It also notes the abuse of overseas free hosting and domain services and emphasizes the potential for early detection via EDR-based threat hunting. #Konni #Kimsuky #LilithRAT #BizNF #WebFreeHosting #RussianMinistryOfForeignAffairs #SouthKorea

Keypoints

  • Expansion of the Konni threat campaign tied to the Kimsuky cluster.
  • Use of legitimate cloud and FTP services to construct a step-by-step infection chain.
  • Reports of attacks targeting both South Korea and Russian government agencies.
  • Abuse of overseas free web hosting and domain services as attack bases.
  • Expectation that EDR-based active threat hunting can enable early detection of abnormal endpoint behavior.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Spear phishing via email with attached malware payloads. ‘Spear phishing is used as a core attack tactic.’
  • [T1566.002] Spearphishing Link – Emails contain linked files or resources to deliver payloads. ‘Files attached or linked in emails are used to deliver payloads.’
  • [T1203] Exploitation for Client Execution – Malicious documents exploited to run payloads. ‘Using malicious documents to exploit vulnerabilities in applications.’
  • [T1071] Application Layer Protocol – C2 communications over HTTP/S. ‘Using HTTP/S for command and control communications.’
  • [T1053] Scheduled Task/Job – Persistence by creating scheduled tasks. ‘Creating scheduled tasks to maintain persistence on the system.’
  • [T1583.001] Acquire Infrastructure – Abuse of overseas free web hosting and domain services to establish attack bases. ‘Abuse of overseas free web hosting and domain services as attack bases.’

Indicators of Compromise

  • [Domain] C2 hosting domains used in KONNI campaigns – h378576.atwebpages[.]com, gg1593.c1[.]biz, gjdow.atwebpages[.]com, thictu.sportsontheweb[.]net
  • [Domain] WebFreeHosting representative domains – atwebpages[.]com, getenjoyment[.]net, medianewsonline[.]com, myartsonline[.]com
  • [Domain] Additional domains listed as attack infrastructure – mygamesonline[.]org, mywebcommunity[.]org, onlinewebshop[.]net, scienceontheweb[.]net, sportsontheweb[.]net
  • [File Name] Examples of malicious documents used in campaigns – RMNCH proposal in DPRK.doc, 마켓팅플랜.hwp
  • [File Name] Other samples observed – 경제 relations.doc, Паспорт.doc, 보상명부.xlam, текст выступления.doc, SpravkiBKsetup_ver._2.5.msi, StatRKZU.msi
  • [MD5] File hashes associated with samples – a0d332a95e2f42a7f26dd452c63938a4, 70b84f854b86d2ee6349ed348ef824ac

Read more: https://www.genians.co.kr/blog/threat_intelligence/konni_universe

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint