North Korea

Security researchers from Cisco Talos have come across a new malware family that was used to target various officials and organizations linked to North Korea.

Named KONNI, Talos researchers say they've discovered this new threat in an active campaign they detected a few days ago.

By clever sleuthing, researchers uncovered historical data linking KONNI to previous attacks going back three years, as early as 2014.

Four KONNI campaigns detected in the past three years

In total, researchers uncovered four different KONNI campaigns, one in 2014, one in 2016, and two in 2017.

Based to past KONNI samples, it appears that the group behind this malware had slowly developed KONNI across time, adding new features with every new campaign.

Experts say the malware evolved from a simple infostealer that could only dump and exfiltrate clipboard and browser data, into a full blown Remote Access Trojan (RAT) that could also take screenshots, download and execute files, and run on-demand shell commands.

The distribution vector was spear-phishing emails that contained SRC files. Opening these SRC files loaded a decoy document, but also dropped the malware on a victim's workstation.

Attacks targeted individuals linked to North Korea

The spear-phishing emails used in these attacks were addressed to members of official organizations such as United Nations, UNICEF, and Embassies, all linked to North Korea.

It's quite rare to see malware that targets individuals related to North Korea. In recent years, North Korea-based actors, such as the Lazarus Group, have been linked to several cyber-espionage campaigns aimed at Western targets.

For example, the Sony hacks and a stream of attacks against banks all over the world. The most famous of these bank heists are the ones carried out in 2016, and which targeted the SWIFT banking system.

Of course, if the KONNI malware targeted individuals related to North Korea, this doesn't mean an external actor was behind them, and a North Korean group could still be keeping an eye on how those individuals represent the country abroad.

A technical report describing the KONNI modus operandi is available here.

Image credits: Roman Harak