Organizations in North Korea have been targetted by an unknown hacking group with malware named Konni. Konni Malware is a RAT/remote access Trojan that possesses all the features of an effective back door, like host profiling and remote access control. There have already been three different campaigns against North Korean companies using the malware in question this year.
The first to identify the campaign was Talos Intelligence, a cybersecurity firm owned by Cisco. The launch of the campaign was on July 6th, several days after the testing of the missile. The cybersecurity company said that it is most likely that the campaign was connected to the launch and the ongoing discussion over the country’s missile technology. Talos identified two campaigns using Konni in total.
Cylance security firm’s researchers have found a similar campaign this Tuesday, which worked in favor of what Talos has already found out and set in stone that North Korea was being targeted with Konni.
The newest version of Konni campaign is using a Word document that shows a news article by a Korean news agency Yonhap. The document contains a malicious executable file that invades the computer on which it gets opened. As soon as the file is executed, malware establishes communication with its C&C server to get further instructions and do what the attacker wants it to do.
These campaigns were first noticed in July, as Cylance’s security experts say. It is still unclear why the latest surge in malware campaigns against companies from North Korea happened, but experts think it has to do with espionage and those who have an interest in North Korean affairs.
What makes the Konni malware tricky is its capability of hiding in the background while the victims end up executing the payload themselves. Among other stuff, the malware is also capable of screen capturing and keylogging, which are the features that help it steal data from the computers it targets.
But this isn’t the only malware targeting North Korea. A new and enhanced version of DarkHotel malware called Inexsmar has been identified by BitDefender. While it’s older cousin attacked business executives and important figures visiting hotels, Inexsmar’s targets are politicians.
This campaign was identified in July, and the way it works is by delivering the malicious payload to the target. Inexsmar campaign contained a malware dropper called Pyongyang Directory Group email SEPTEMBER 2016 RC_OFFICE_Coordination_Associatewxcod.scr.
This dropper is identical to the document in Konni campaign. Not only that, but both campaigns have files that contain the similar set of names and contact information.
Researchers believe that the campaigns are most likely to originate from South Korea, which isn’t unlikely due to the ongoing espionage war between the two countries. Another theory is that the attacks could also be retribution campaign because the country recently tested an intercontinental ballistic missile (ICBM) successfully.