Hackers From North Korea Reappear With Stealthier Form of KONNI RAT Malware

Hackers From North Korea Reappear With Stealthier Form of KONNI RAT Malware

A cyberespionage gang linked to North Korea has returned with a stealthier edition of its remote access trojan known as Konni, which it is using to attack political institutions in Russia and South Korea.

“We found that KONNI Rat is being actively developed, and new samples are now including significant updates,” Malwarebytes wrote with researcher Roberto Santos saying that “the authors are constantly making code improvements.” Their efforts are geared at interrupting the traditional flow recorded by sandboxes and making detection more difficult, mainly via regular signatures, because essential sections of the executable are now encrypted.

The most recent breaches performed by the organization, which is thought to be working under the Kimsuky umbrella, involve using New Year lures to infiltrate Windows computers with malware at the Russian Federation’s Ministry of Foreign Affairs (MID).

The infections begin with a malicious Microsoft Office document that, when viewed, starts a multi-stage process involving multiple moving pieces that aid the attackers in elevating privileges, evading detection, and eventually deploying the Konni RAT payload on infected systems:

“The final goal of the attack is installing what is called KONNI Rat, which is a .dll file supported by an .ini file. In a nutshell, the .dll file contains the functionality of the RAT, and the .ini file contains the address of the first C&C server. KONNI Rat’s general behavior remains almost the same as previous versions, but there are changes,” researchers explained.

The change from Base64 encoding to AES encryption to safeguard the backdoor’s strings and obfuscate their real purpose is a new enhancement to its current capabilities. Furthermore, several support files dumped to aid the intrusion have now been encrypted using AES.

“Cleverly, they reused the algorithm used for string protection, making the file layout identical to the protected strings layout, as they appear in raw memory,” Santos explained. The major updates show how competent actors may swiftly adapt their tactics and strategies to build something powerful and successful that can bypass security and detection layers.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.