Experts at Cylance noticed that the decoy document used in KONNI attacks is similar to the one used in recent campaigns of the DarkHotel APT.

In May, Cisco Talos team discovered a RAT dubbed KONNI malware that targets organizations linked to North Korea.

The malware, dubbed by researchers “KONNI,” was undetected for more than 3 years and was used in highly targeted attacks. It was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.

“Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. ” states the analysis published by Talos.

The malware has evolved over the years and its last release is able to log keystrokes, steal files, capture screenshots, and collect information about the infected system.

The KONNI malware was also spotted in at least two campaigns in 2017. Threat actors used a decoy document titled “Pyongyang e-mail lists – April 2017” and it contained the email addresses and phone numbers of individuals working at organizations such as the United Nations, UNICEF and embassies linked to North Korea.

Hackers also used a second decoy document, titled “Inter Agency List and Phonebook – April 2017” contained names and contact information for members of agencies, embassies and other organizations linked to North Korea.

Experts at Cylance noticed that the decoy document titled “Pyongyang e-mail lists – April 2017, presents many similarities with a document used in a recent campaign that experts at Bitdefender linked to DarkHotel.

The first Darkhotel espionage campaign was spotted by experts at Kaspersky Lab in late 2014, according to the researchers the APT group has been around for nearly a decade while targeting selected corporate executives traveling abroad.

According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

The attackers appeared high skilled professionals that exfiltrated data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gang never go after the same target twice.

According to the security firm Bitdefender, the DarkHotel APT is back and it is targeting government employees with an interest in North Korea with new techniques.

The hackers’ victims have been discovered in several countries, including North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, Taiwan, China, the United States, India, Mozambique, Indonesia and Germany.

The new DarkHotel campaign dubbed “Inexsmar” leveraged on documents quite similar to the ones used in the KONNI attacks, the content has the same format and they have the same title.

Looking at the files’ description it is possible to notice that they are both titled “Pyongyang directory” and they were both authored by “Divya Jacob.”

Experts at Cylance who analyzed the KONNI malware believe that the malware’s authors once discovered due to their revelations will switch tactic and will release new variants that will include better obfuscation capabilities.

“The KONNI malware is a relatively new RAT. The implemented features are straightforward to analyze and there has been little attempt to mask the malware’s true purpose. The basic features for a backdoor are all present, including host profiling and remote access and control. ” concluded Cylance.

“Given the recent attention, we expect to see new variants surface in the coming months with better obfuscation and perhaps additional capabilities.”

Pierluigi Paganini

(Security Affairs – KONNI malware, North Korea)

Share this...

Linkedin Reddit Pinterest

Share On