Security researchers have detected a malware campaign directed at organizations related to North Korea. The attack happened on Tuesday, almost a month after North Korea conducted another intercontinental ballistic missile(ICBM) test at the beginning of July. The person or group responsible for the attack is yet to be identified. However, it is believed this is cyber espionage in response to the regime’s long range missile tests and aggressive rhetoric. The malware used is a RAT Trojan named KONNI capable of creating backdoors to access infected computers.
This is not the first time attacks like this have been directed at North Korea. North Korea has been targeted by the same malware at least five times in the past 3 three years. Two of the most recent ones were discovered by cyber security firm Talos Intelligence. The attacks were detected on July 6, just two days after North Korea successfully tested its first ICBM with an estimated range of 10,000km. Researchers at Cylance also discovered a similar campaign happening this past Tuesday. All three of these campaigns utilized the Konni Trojan. The timeline of the attacks and the fact that the same malware is used makes it plausible that this is a case of cyber espionage.
The motivation behind these campaigns is uncertain, however it does appear to be geared towards espionage against targets who would be interested in North Korean affairs.
Konni is a Remote Access Trojan(RAT) trojan that is used to create a backdoor into a system and extract information. The version used in this campaign is more robust than the previous ones; it is capable of logging keyboard events, taking screenshots, stealing files and capturing system information. The vector used to deliver the payload is a highly sophisticated spear phishing attack(whaling) that delivers an infected file. The word file, named “Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr”, contains self-executing code that once opened begins downloading the payload from a C&C server hosted on a domain named member-daumchk[.]netai[.]net.
Researchers at Cylance believe the July campaign is linked to a hacker group known as DarkHotel. DarkHotel is a group that is known for targeting businesses through a hotel’s WiFi network. The involvement of the group is suspected due to the similarities samples used by the hacker group in previous campaigns. Researchers at Bitdefender Lab documented the new campaign by DarkHotel and dubbed it Inexsmar. Something noted in Bitdefender’s publication is that instead of targeting high ranking business men, DarkHotel seems to be targeting political figures; particularly figures related or connected to North Korean institutions. As of yet this is all speculation and requires further research.