Threat Research

Malware Campaign Potentially Linked to Konni Group

Securonix
Malware Campaign Potentially Linked to Konni Group

This article analyzes a sophisticated multi-stage malware campaign likely attributed to the North Korean Konni APT group, utilizing social engineering tactics centered on a malicious ZIP containing a disguised .lnk file. The campaign employs various techniques for persistence and data exfiltration while utilizing familiar South Korean elements to increase victim engagement. Affected: South Korean financial institutions, government, and defense sectors.

Keypoints :

  • The malware campaign utilizes a ZIP file containing a malicious .lnk file disguised as a Korean proposal PDF.
  • The Konni APT group, active since 2014, is believed to be behind the campaign, targeting South Korean entities.
  • The initial payload triggers an obfuscated PowerShell script that executes multiple batch scripts.
  • The decoy PDF is crafted to appear legitimate while the real malware operates in the background.
  • The campaign includes techniques for data collection and persistent execution to avoid detection.
  • Indicators of compromise include specific file hashes, URLs, and file paths related to the malware operation.

MITRE Techniques :

  • T1566.001 – Phishing: Spearphishing Attachment – Delivery of the initial payload via a ZIP file with a malicious .lnk file.
  • T1059.001 – Command and Scripting Interpreter: PowerShell – Using an obfuscated PowerShell script to execute the next steps in the malware execution chain.
  • T1059.003 – Command and Scripting Interpreter: Windows Command Shell – Multiple batch scripts are executed to move the operation forward.
  • T1059.005 – Command and Scripting Interpreter: Visual Basic – A VBS script runs silently to execute further payloads.
  • T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys – Persistence is achieved by adding a key to the Windows Registry.
  • T1027 – Obfuscated Files or Information – The PowerShell script employs random variable names to obfuscate its intentions.
  • T1070.004 – Indicator Removal: File Deletion – Many files are deleted to cover tracks during the malware execution process.
  • T1071.001 – Application Layer Protocol: Web Protocols – Data exfiltration via HTTPS POST requests to a C2 server.
  • T1573.001 – Encrypted Channel: Symmetric Cryptography – Data is encrypted using a custom encryption method before exfiltration.
  • T1005 – Data from Local System – Directory information and system information are collected and prepared for exfiltration.
  • T1041 – Exfiltration Over C2 Channel – Data is uploaded to a compromised server for extraction.

Indicator of Compromise :

  • [File Hash] SHA256: 627ee714b1e4f5bd692061e1c29783191f71c10c91f14c632e405fbe57d4dd3b
  • [Filename] 제안서.pdf.lnk
  • [URL] https://ausbildungsbuddy[.]de/modules/mod_mail/inc/get.php?ra=iew&zw=lk0100
  • [URL] https://ausbildungsbuddy[.]de/modules/mod_mail/src/upload.php
  • [Filename] nearby.cab

Full Story: https://muff-in.github.io/blog/Malware-Campaign-Potentially-Linked-to-DPRK-Konni-Group/