Security Experts:

Connect with us

Hi, what are you looking for?



Cyberspies Use KONNI Malware to Target North Korea

A remote access Trojan (RAT) that managed to stay under the radar for more than 3 years has been used by cyberspies to target organizations linked to North Korea, Cisco’s Talos research and intelligence group reported on Wednesday.

A remote access Trojan (RAT) that managed to stay under the radar for more than 3 years has been used by cyberspies to target organizations linked to North Korea, Cisco’s Talos research and intelligence group reported on Wednesday.

The malware, dubbed by researchers “KONNI,” has evaded detection likely due to the fact that it has only been used in highly targeted attacks. The malware has evolved over the years, with recent versions capable of stealing data and executing arbitrary code on infected systems.

Talos is aware of several campaigns using this piece of malware over the past years. The first, likely launched in September 2014, involved an SRC file acting as a dropper for two other files: a picture that served as a decoy and the KONNI executable.

In this attack, the KONNI malware was designed to be executed only once and steal information from the infected device, including keystrokes, clipboard content, and data associated with the Chrome, Firefox and Opera web browsers.

The second campaign, observed last year, also involved an SRC file, but this time it dropped two office documents. These documents, one written in English and one in Russian, referenced the tension between North Korea and the U.S., and they were titled “N. Korean hydrogen bomb can wipe out Manhattan: propaganda outlet.”

The 2016 attacks leveraged malware that had a different architecture, and introduced new features that also allowed attackers to upload and download files, and execute arbitrary commands. While analyzing this campaign, researchers found evidence suggesting that an operation also took place in 2015.

Experts have already spotted two KONNI campaigns this year. One of the decoy documents was titled “Pyongyang e-mail lists – April 2017” and it contained the email addresses and phone numbers of individuals working at organizations such as the United Nations, UNICEF and embassies linked to North Korea.

Another decoy document, titled “Inter Agency List and Phonebook – April 2017” contained names and contact information for members of agencies, embassies and other public organizations connected to North Korea. Researchers said it’s unclear if these are legitimate files that have been stolen by the cyberspies or if the attackers created the documents themselves.

Compared to previous versions, the latest malware samples are also capable of collecting system information and capturing screenshots. The threat actor has also created 64-bit versions of the malware.

The fact that 3 of the 4 campaigns analyzed by Cisco were aimed at organizations linked to North Korea has led researchers to believe that the threat group behind KONNI has a real interest in this country. The latest attack started a few days ago and it’s still active.

Related: North Korea-Linked Hacker Group Poses Serious Threat to Banks

Related: US Suspects North Korea in $81 Million Bangladesh Theft

Related: Kaspersky Links Global Cyber Attacks to North Korea

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.