Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Campaigns Targeting North Korea Show Link Between KONNI and DarkHotel

Decoy documents used in two recent cyber espionage campaigns apparently aimed at entities linked to North Korea show a connection between the DarkHotel attacks and a piece of malware named KONNI.

Decoy documents used in two recent cyber espionage campaigns apparently aimed at entities linked to North Korea show a connection between the DarkHotel attacks and a piece of malware named KONNI.

KONNI is a remote access trojan (RAT) that managed to stay under the radar for more than 3 years. The malware has evolved over the past years and it’s currently capable of logging keystrokes, stealing files, capturing screenshots, and collecting information about the infected machine.

KONNI has mainly been used to target organizations linked to North Korea. One of the campaigns spotted by researchers at Cisco Talos this year involves a dropper named “Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr,” which opens a Word document when executed.

Researchers at Cylance noticed that this decoy document, titled “Pyongyang e-mail lists – April 2017,” is very similar to a document delivered in a recent campaign linked by Bitdefender to DarkHotel, a threat group that has been around for nearly a decade.

DarkHotel came to light in November 2014, when Kaspersky published a report detailing a sophisticated cyber espionage campaign targeting business travelers in the Asia-Pacific region. The group, whose members appear to be Korean speakers, possibly from South Korea, has targeted individuals in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, Taiwan, China, the United States, India, Mozambique, Indonesia and Germany.

The new DarkHotel campaign analyzed by Bitdefender, dubbed “Inexsmar” by the security firm, was aimed at government employees with an interest in North Korea. One of the decoy documents used in the attack is very similar to the one seen in the KONNI attacks – it’s titled “Pyongyang e-mail lists – September 2016” and its content has the same format.

Konni / DarkHotel link

Furthermore, an analysis of the files’ description revealed that they are both titled “Pyongyang directory” and they were both authored by an individual named “Divya Jacob.”

Cylance has conducted a detailed analysis of KONNI and the company’s experts believe that, as a result of the recent attention, the malware’s authors will release new variants that will include better obfuscation and additional capabilities.

Advertisement. Scroll to continue reading.

Related: North Korea-Linked Hacker Group Poses Serious Threat to Banks

Related: Kaspersky Links Global Cyber Attacks to North Korea

Related: Jury Out on North Korea Link to Ransomware Attack

Related: New Fileless Attack Targets North Korea

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.