In the shadows of geopolitics, KONNI has been operating quietly for more than a decade, building on its playbook of carefully staged spear-phishing campaigns and political lures targeted at South Korean institutions.
In the past, KONNI’s operations followed the fault lines between diplomacy and regional security, targeting government agencies, academic institutions, non-governmental organizations, and individuals involved in inter-Korean affairs.
However, new findings from Check Point Research indicate the organization is no longer restricted to this familiar territory.
In a marked departure from its traditional approach, KONNI is currently conducting phishing campaigns targeted at blockchain developers throughout the Asia-Pacific region — including Japan, Australia, and India — signaling the company’s intention of expanding geographically and recalibrating its strategic approach.
As part of the campaign, in addition to shifting attention to individuals with access to blockchain infrastructure, a novel AI-based backdoor is also introduced, illustrating a refinement of the group’s technical capabilities and operational priorities.
In Check Point’s analysis, the campaign appears to be the product of the North Korean threat group Konni (also tracked as Opal Sleet and TA406), which researchers believe has operational overlaps with activity clusters such as APT37 and Kimsuky.
As of at least 2014, the group has been engaged in espionage operations against South Korean entities, Russian entities, Ukrainian entities, and multiple European countries.
The telemetry generated by recent analyzed samples, however, indicates that the current wave of malware is concentrated in Asia-Pacific, with submissions originating from Japan, Australia, and India.
This confirms the assessment of a deliberate geographic pivot. Infection chains are carefully staged and multilayered, indicating that they are designed to infect in a controlled manner.
There is a Discord link provided to victims that serves a ZIP archive which contains a decoy PDF along with a malicious Windows shortcut file (LNK).
By executing the shortcut, an embedded PowerShell loader will be invoked to extract additional components, including a DOCX lure and a CAB archive. Several payload components are contained in the cabinet file, including a PowerShell-based backdoor, two batch scripts for automating User Account Control (UAC), and an executable for bypassing User Account Control.
Upon opening the shortcut, a decoy document is displayed while covertly executing a batch file embedded within, thereby ensuring the malicious activity is concealed in legitimate documentation. The lure content itself indicates that attackers intend to penetrate development environments, allowing them access to infrastructure repositories, API credentials, wallet configurations, and possibly cryptocurrency holdings.
An initial batch script establishes a staging directory for persistent storage, deposits the backdoor and secondary scripts and configures a scheduled task designed to run on an hourly basis in order to avoid detection by OneDrive.
This procedure consists of retrieving PowerShell payloads from disk, decrypting them at runtime and subsequently removing them from the system in an effort to minimize forensic visibility and complicate incident response.
A Check Point Research r
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article:
Like this:
Like Loading...
Related
