Malware: Eyes On North Korea

Uploaded on 2017-05-10 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-North Korea, FREE TO VIEW, TECHNOLOGY--Hackers

A previously unknown RAT (Remote Administration Tool) has been uncovered after evading detection by the security community for more than three years. Lately, its targets are associated with North Korean affairs. 

Cisco Talos, which discovered the malware, has named it KONNI. It allows the operator to steal files, keystrokes, perform screenshots and execute arbitrary code on the infected host. The last two campaigns by KONNI suggests that the targets are public organisations. 

The investigation revealed targeted email addresses, phone numbers and contacts of members of official organisations such as United Nations, UNICEF and embassies linked to North Korea.

The actor has used social engineering and an email attachment for the entire three years being active, over the course of four campaigns, though the functionality of KONNI has evolved from simply being an information stealer without remote administration to what it is today. 

Talos noted that the different versions contain copy/pasted code from previous versions, and, the new version searches for files generated by previous versions, meaning the malware has been used several times against the same targets.

The last campaign was started recently and is still active, and the infrastructure remains up and running.

“The RAT has remained under the radar for multiple years. An explanation could be the fact that the campaign was very limited nature, which does not arouse suspicion,” Cisco said in an analysis. “This investigation shows that the author has evolved technically (by implementing new features) and in the quality of the decoy documents. 

“The campaign of April 2017 used pertinent documents containing potentially sensitive data. More-over the metadata of the Office document contains the names of people who seems to work for a public organisation. We don't know if the document is a legitimate compromised document or a fake that the attacker has created in an effort to be credible.”

Researchers added, “Clearly the author has a real interest in North Korea, with three of the four campaigns are linked to North Korea.”

Infosecurity

You Might Also Read:

US vs. North Korea Cyberwar Underway:

Cyber Attacks Against Korean Missile Launches:

Surprise: N Korea Hacked S Korea Cyber Command:

 

 

« Thieves Drain Protected Bank Accounts
The Cybersecurity Threats That Keep Banks Alert »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

The Media Trust

The Media Trust

The Media Trust continuously scans websites, ad tags and mobile apps and alerts on anomalies affecting websites and visitors.

Cyber Forensic & Investigation (CFI)

Cyber Forensic & Investigation (CFI)

Cyber Forensic & Investigation (CFI) is recognized as Thailand’s leader in cyber investigations and digital forensics.

SK IT Cyber Security

SK IT Cyber Security

SK IT provide services and solutions for cybersecurity and advanced information system engineering.

ECOMPLY

ECOMPLY

ECOMPLY is an all-in-one GDPR Compliance Solution. Efficient data protection management system for businesses and DPOsomply.

AppGuard

AppGuard

AppGuard prevents breaches by blocking applications from performing inappropriate processes using our patented dynamic isolation and inheritance technologies.

TechBeacon

TechBeacon

TechBeacon.com is a digital hub by and for software engineering, IT and security professionals sharing practical and passionate guidance to real-world challenges.

Data Eliminate

Data Eliminate

Data Eliminate provide data destruction, secure end-of-life IT asset disposal, and data protection consultancy services.

RISE

RISE

RISE is an independent, State-owned research institute, which offers unique expertise and over 100 testbeds and demonstration environments for future-proof technologies, products and services.

SECURITI.ai

SECURITI.ai

SECURITI.ai's PrivacyOps platform is a full-stack solution that operationalizes and simplifies privacy compliance using robotic automation and a natural language interface.

Blue Lance

Blue Lance

Blue Lance is a global provider of cybersecurity governance solutions. Our software solutions automatically collect and store the information necessary for investigations, audit and compliance.

Mindmajix Technologies

Mindmajix Technologies

Mindmajix is a live and interactive e-learning platform that offers professional online IT training in areas including cyber security.

National Institute for Research & Development in Informatics (ICI Bucharest) - Romania

National Institute for Research & Development in Informatics (ICI Bucharest) - Romania

ICI Bucharest is the most important institute in the field of research, development and innovation in information and communication technology (ICT) in Romania.

ELLIO Technology

ELLIO Technology

ELLIO Technology is a cybersecurity company that reduces alert overload, improves incident response, and helps security teams target serious attackers who pose a real threat.

EPIQ Infotech

EPIQ Infotech

EPIQ Infotech is a trusted consulting and implementation partner for Oracle JD Edwards and Amazon Web Services (AWS).

Validia

Validia

Validia is a deepfake cybersecurity service that provides proactive and reactive defense to the deepfake threat enterprises increasingly face with the rapid growth of generative AI.

Datacom

Datacom

Datacom design, build and run IT systems and processes across operations, cybersecurity, cloud, digital platforms, payroll and enterprise applications.