Konni Malware Campaign Targets North Korean Organizations

For at least three years, an unknown threat actor has used the RAT to steal data and profile organizations in North Korea.

An unknown threat actor has been quietly carrying out intermittent cyber campaigns against North Korean organizations for at least the last three years using a relatively unsophisticated but constantly evolving Remote Access Trojan.
Security researchers have so far counted three separate campaigns in 2017 in which the so-called Konni Trojan has been used against North Korean targets.
The most recent was in July in the immediate aftermath of news that the North Korean government had successfully tested an Intercontinental Ballistic Missile supposedly capable of reaching US targets. In all, there have been at least five separate Konni campaigns directed at targets in the reclusive country over the past few years.
Cylance, the latest security vendor to analyze the malware, this week said the motivations behind the Konni campaigns remain unclear, but could be related to hacktivism.
Cylances recent analysis of a Konni sample suggests that the malware may have links to 2014s DarkHotel APT campaign for stealing data from business travelers at luxury hotels, Cylance
noted in a blog
this week.
Kaspersky Lab, which was the first to uncover the DarkHotel malware campaign, had at the time said that
evidence pointed
to the authors as being possibly of Korean origin. Some researchers had at the time said the signs pointed more specifically to the campaign originating in South Korea.
[Konni] essentially is a still evolving, full-featured RAT, says Kevin Finnigin, manager of threat guidance at Cylance. The companys analysis suggests that additional capabilities are probably under development, he says.
Cylance said its analysis showed Konni to be a uniquely crafted RAT that combines some basic anti-detection techniques with social engineering and intelligence harvesting capabilities. The malware has typically been distributed via phishing emails and includes a decoy document—usually with content pertaining to some North Korean-related news event—which when opened executes the malware on a victim machine.
The malware runs in the background and there is no visual cue for the user that opened the malware that it did anything other than open the decoy document, Finnigin says.
In the meantime, the malware is busy profiling a victim organizations network and connected systems using host enumeration, screenshots, keystroke logging and other measures. The data that the malware gathers is then used to launch specific attacks against targeted organizations.
Ciscos Talos security group, which profiled the Konni campaign on two separate occasions earlier this year, has described the malware as rapidly evolving. In a
blog
back in May, Talos said that its analysis of Konnis decoy documents suggested that the targets were mainly public organizations and embassies linked to North Korea.
In the three years that Konni has been around the malware has improved in multiple ways, Talos has noted. For instance, the malware started off purely as an information stealer but quickly morphed into a RAT. Konni has also evolved from a single file malware to one with dual files—an executable and a dynamic library, Talos has noted.
In addition, Konnis authors have improved the malwares instruction handling capabilities. The actions it can take now include file deletion and exfiltration, the ability to take screenshots and upload them to a command and control server, the ability to get information for profiling systems and the ability to execute remote commands
New versions of the malware have also been designed to search for files generated by previous versions of Konni suggesting that the malware has been repeatedly used against the same targets, Talos has observed. The authors of the malware have recently introduced a 64-bit version and have begun using a packer to make analysis harder, Talos security researchers had
noted
in their second Konni blog in July this year.
Despite the improvements, Konni still appears to be relatively easy to reverse engineer, so its capabilities can be traced back to source code. Other RATS and bots [such as] Zeus and Dridex are heavily obfuscated and employ many techniques to hinder analysis, Finnigin says.
Related Content:
Darkhotel Deploys Zero-Day From Hacking Team
US Warns of North Koreas Not-So-Secret Hidden Cobra DDoS Botnet
NSA Reportedly Confident North Korea Was Behind WannaCry
7 Ways Hackers Target Your Employees

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Konni Malware Campaign Targets North Korean Organizations