North Korea claims to have conducted the first test of an intercontinental ballistic missile (ICBM), the Hwasong-14, on 3rd July, and US officials believe the country may have fired a brand-new missile that has not been seen before.
Now, just a day after the test missile launch, hackers have started utilizing the news to target people interested in North Korean missile arsenal that has progressed over the decades from crude artillery rockets to testing what the country claims long-range missiles that could strike targets in the United States.
Security researchers at Talos Intelligence have discovered a new malware campaign that started on 4th July to target victims with KONNI, an unknown Remote Access Trojan (RAT) that has been in use for over three years.
The KONNI malware is a Remote Access Trojan designed to steal files, record keystrokes, perform screenshots, get the system information, including hostname, IP address, username, OS version and installed software, as well as execute malicious code on the infected computer.
How Does the KONNI Malware Work?
The hackers use an email attachment as the initial infection vector to deliver the Trojan through an executable file, which when opened displays an MS Office document that disguised as an article about the test missile launch.
However, the content of the document is copy/pasted from an article published on July 3rd by South Korean Yonhap News Agency.
In reality, the malicious executable drops two different versions of KONNI: event.dll and errorevent.dll.
On 64-bit versions of Windows, both binaries are dropped, while just errorevent.dll is dropped on 32-bit versions of Windows.
The dropped malware is then immediately executed to "ensure that the malware persists and is executed on rebooting the compromised system," the researchers say.
C&C Server Disguises as a Legitimate Climbing Club Website
The malware uses a new Command and Control server hosted on a website that disguises as a legitimate climbing club, but the site does not actually contain any real text, but the default text of the CMS (Content Management System).
The C&C traffic of the malware also takes place as "HTTP post requests to web pages hosted as /weget/download.php, /weget/uploadtm.php or /weget/upload.php on the domain itself."
In addition, the website also contains a contact section with an address in USA, but the map below the address points to a location in Seoul, South Korea.
"The threat actors associated with KONNI typically use decoy documents relating to North Korea, and this campaign is no exception. However, in contrast to the convincing decoy document lifted from a third party, the content of the decoy website hosted on the CnC server does not look legitimate," the researchers concluded.
"Nevertheless, this threat actor continues to remain active and continues to develop updated versions of their malware. Organizations which may have an interest in the contents of this decoy document and that used in previous campaigns should ensure that they are adequately protected against this and subsequent campaigns."So, my advice for users to remain protected from such malware is always be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.
Additionally, keep your systems and antivirus updated to protect against any latest threat.