A remote access Trojan (RAT) that managed to stay under the radar for more than 3 years has been used by cyberspies to target organizations linked to North Korea, Cisco’s Talos research and intelligence group reported on Wednesday.
The malware, dubbed by researchers “KONNI,” has evaded detection likely due to the fact that it has only been used in highly targeted attacks. The malware has evolved over the years, with recent versions capable of stealing data and executing arbitrary code on infected systems.
Talos is aware of several campaigns using this piece of malware over the past years. The first, likely launched in September 2014, involved an SRC file acting as a dropper for two other files: a picture that served as a decoy and the KONNI executable.
In this attack, the KONNI malware was designed to be executed only once and steal information from the infected device, including keystrokes, clipboard content, and data associated with the Chrome, Firefox and Opera web browsers.
The second campaign, observed last year, also involved an SRC file, but this time it dropped two office documents. These documents, one written in English and one in Russian, referenced the tension between North Korea and the U.S., and they were titled “N. Korean hydrogen bomb can wipe out Manhattan: propaganda outlet.”
The 2016 attacks leveraged malware that had a different architecture, and introduced new features that also allowed attackers to upload and download files, and execute arbitrary commands. While analyzing this campaign, researchers found evidence suggesting that an operation also took place in 2015.
Experts have already spotted two KONNI campaigns this year. One of the decoy documents was titled “Pyongyang e-mail lists – April 2017” and it contained the email addresses and phone numbers of individuals working at organizations such as the United Nations, UNICEF and embassies linked to North Korea.
Another decoy document, titled “Inter Agency List and Phonebook – April 2017” contained names and contact information for members of agencies, embassies and other public organizations connected to North Korea. Researchers said it’s unclear if these are legitimate files that have been stolen by the cyberspies or if the attackers created the documents themselves.
Compared to previous versions, the latest malware samples are also capable of collecting system information and capturing screenshots. The threat actor has also created 64-bit versions of the malware.
The fact that 3 of the 4 campaigns analyzed by Cisco were aimed at organizations linked to North Korea has led researchers to believe that the threat group behind KONNI has a real interest in this country. The latest attack started a few days ago and it’s still active.