Two recent espionage campaigns against political and strategic targets in North Korea has been linked to malware that has stayed hidden for the better part of three years.
Cisco’s research arm Talos published a report yesterday on the malware it calls Konni. Two attacks in April used phishing emails and decoy documents of interest to the target to drop the Konni remote access Trojan. That allowed the attacker to drop additional malware on compromised systems. Current iterations of the malware include components that allow for data theft, keylogging, screenshot capture and the execution of arbitrary code.
Cisco said the malware evolved from mainly stealing information without remote administration to the use of two separate binaries including a dynamic library on compromised machines, new features added to the malware, and better decoy documents.
The targets are likely public organizations, and the decoy documents used in the last two campaigns include the contact information of members of embassies linked to North Korea, as well as public organizations such as UNICEF and the United Nations, Cisco said.
The attackers used the Konni malware sparingly, and the most recent attacks were carried out a few days ago. The campaign remains active, as is its infrastructure, which is hosted on a legitimate and free webhost called 000webhost.
“Low volume distribution of malware to a small number of targets potentially means that malicious campaigns get lost in the noise of the many samples of malware out there,” said Cisco Talos Technical Lead Martin Lee. “In fact, it is very difficult for threat actors to completely evade leaving traces in telemetry.”
Cisco spotted two recent campaigns in April, but throughout the four campaigns Cisco is aware of that date back to 2014, some commonalities exist. For example, the attacks start with phishing emails containing an attachment as the initial infection vector. The victim is lured into opening a .src file which displays a decoy document to the user before executing the malware.
The .src file drops an executable and a dynamic library onto the machine, and uses a LNK file to maintain persistence. These campaigns were updated with versions of the malware capable of grabbing screenshots, in additional to stealing system information, uploading files, deleting files, downloading code from the internet and executing commands.
Cisco said the two command and control domains, Pactchfilepacks[.]net23[.]net and checkmail[.]phpnet[.]us, from these attacks remain active. Cisco published indicators of compromise from all four attacks in its reports. It would not say whether this was a nation-state operation or the work of a criminal outfit.
“Attribution is always difficult. We can identify malware, but we can’t necessarily identify who is behind it, or who they work for. All we can say for certain is that this appears to have been a long term campaign with an interest in Korea,” Lee said. “The nature of the decoy documents suggests a certain degree of social engineering and targeting of victims. Yet at the same time, the malware does not appear particularly advanced.”
It has evolved, however. The September 2014 campaign, for example, used an image of Myanmar temple as its decoy, while dropping Konni as a phony scvhost executable. It grabbed instructions from two command and control domains, phpschboy[.]prohosts[.]org and jams481[.]site[.]bz, and it could log keystrokes, steal browser cookies, and steal any data on the clipboard.
Two years later, the campaign changed decoy documents, dropping instead Office documents in English and Russian titled “N. Korean hydrogen bomb can wipe out Manhattan: propaganda outlet.”
These attacks used two binaries for the first time, and dropped the malware into a different directory than the first attack and reached out to a new C2 server at dowhelsitjs[.]netau[.]net. Remote administration functionality first surfaced in the 2016 campaign with file uploading and command execution capabilities. Cisco said that the malware used in this campaign looked for filenames created with the previous version of Konni, indicating the attackers may have been targeting the same victims.
This article was updated May 5 with clarifications from Cisco.