Malware: Eyes On North Korea

A previously unknown RAT (Remote Administration Tool) has been uncovered after evading detection by the security community for more than three years. Lately, its targets are associated with North Korean affairs. 

Cisco Talos, which discovered the malware, has named it KONNI. It allows the operator to steal files, keystrokes, perform screenshots and execute arbitrary code on the infected host. The last two campaigns by KONNI suggests that the targets are public organisations. 

The investigation revealed targeted email addresses, phone numbers and contacts of members of official organisations such as United Nations, UNICEF and embassies linked to North Korea.

The actor has used social engineering and an email attachment for the entire three years being active, over the course of four campaigns, though the functionality of KONNI has evolved from simply being an information stealer without remote administration to what it is today. 

Talos noted that the different versions contain copy/pasted code from previous versions, and, the new version searches for files generated by previous versions, meaning the malware has been used several times against the same targets.

The last campaign was started recently and is still active, and the infrastructure remains up and running.

“The RAT has remained under the radar for multiple years. An explanation could be the fact that the campaign was very limited nature, which does not arouse suspicion,” Cisco said in an analysis. “This investigation shows that the author has evolved technically (by implementing new features) and in the quality of the decoy documents. 

“The campaign of April 2017 used pertinent documents containing potentially sensitive data. More-over the metadata of the Office document contains the names of people who seems to work for a public organisation. We don't know if the document is a legitimate compromised document or a fake that the attacker has created in an effort to be credible.”

Researchers added, “Clearly the author has a real interest in North Korea, with three of the four campaigns are linked to North Korea.”

Infosecurity

You Might Also Read:

US vs. North Korea Cyberwar Underway:

Cyber Attacks Against Korean Missile Launches:

Surprise: N Korea Hacked S Korea Cyber Command:

 

 

« Thieves Drain Protected Bank Accounts
The Cybersecurity Threats That Keep Banks Alert »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

April 4, 2024 | 11:00 AM PT: Join this webinar to find out about six emerging trends dominating the cloud cybersecurity landscape.

ESET

ESET

ESET provide security software for enterprises and consumers - Antivirus Software, Internet Security and Virus Protection.

Ixia

Ixia

Ixia provides testing, visibility, and security solutions to strengthen applications across physical and virtual networks.

Mobile Mentor

Mobile Mentor

Mobile Mentor is an independent provider of enterprise mobility solutions in New Zealand and Australia.

Maritime Cyber Alliance

Maritime Cyber Alliance

Maritime Cyber Alliance was established in 2017 by Airbus , CSOAlliance , MCSA & Wididi to provide a medium for both public Cyber Safety advice and for businesses to discuss Cyber concerns.

Sapien Cyber

Sapien Cyber

Sapien Cyber is an Australian company bringing leading-edge cyber security and threat intelligence solutions.

Aporeto

Aporeto

The Aporeto platform protects cloud applications from attack by authenticating and authorizing all communications with a cryptographically signed identity assigned to every workload.

OutThink

OutThink

OutThink is a web-based platform (SaaS) that has been developed specifically to identify and reduce risky workforce behaviours and build a risk aware culture.

Mendoza Ventures

Mendoza Ventures

Mendoza Ventures is a venture capital fund focusing on pre-seed Artificial Intelligence (AI), Fintech, and Cybersecurity startups.

RiskXchange

RiskXchange

RiskXchange's cybersecurity risk rating solution helps businesses solve complex cybersecurity and compliance challenges by providing a 360-degree view of your cybersecurity posture.

BlackRidge Technology

BlackRidge Technology

BlackRidge Technology develops, markets and supports a family of products that provide a next generation cyber security solution for protecting enterprise networks and cloud services.

Nucleon Security

Nucleon Security

Nucleon Endpoint Detection and Response EDR is the most effective way to protect the value created by your organization against any threat.

Digital Identification & Authentication Council of Canada (DIACC)

Digital Identification & Authentication Council of Canada (DIACC)

DIACC is a non-profit coalition of public and private sector leaders committed to developing a Canadian framework for digital identification and authentication.

RNTrust

RNTrust

RNTrust provide solutions to meet today’s digital challenges utilizing digital technologies and services to make you more secured in digitally connected environment.

Arcserve

Arcserve

Defend your data with Arcserve all-in-one data protection and management solutions designed to be the right fit for your business, regardless of size or complexity.

Core4ce

Core4ce

Core4ce is a mission-oriented company that serves as a trusted partner to the national security community.

Cyber Industrial Networks

Cyber Industrial Networks

Cyber Industrial Networks objective is to service the needs of industry in achieving reliable, robust and secure infrastructure that supports productivity.