In recent spear-phishing attempts, the Konni APT has impersonated South Korean government entities such as the National Human Rights Commission and the National Police Agency to instigate fear of human rights violations and hacking incidents. The attacks utilize deception tactics to install malicious files, notably LNK shortcuts and AutoIT scripts. With an increase in non-executable file threats, there is a growing need for enhanced detection through EDR and MDR systems. Affected: South Korean government agencies, individuals targeted by phishing attacks, cybersecurity sector
Keypoints :
- Konni APT impersonates South Korean entities for spear-phishing attacks.
- Fear and curiosity are exploited to increase attack success rates.
- Use of malicious LNK files and AutoIT scripts to execute payloads.
- Emphasis on threat-hunting initiatives due to the rise in non-executable malware.
- Need for organizations to adopt EDR and MDR services for proactive defense.
- Recent spear-phishing incidents correlate with real governmental hacking attempts.
- Modification of sender information to mask true origins in phishing emails.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Abuse of application layer protocols to avoid detection via legitimate channels.
- T1041 – Exfiltration Over Data Staged: Transporting and exfiltrating data through compromised systems.
- T1203 – Exploitation for Client Execution: Targeting clients via malicious documents and script inclusions.
Indicator of Compromise :
- [MD5] 7449b3528dffeb2babfc113308e47bb7
- [MD5] 1827287811ef97153d0ea850673ecec1
- [MD5] a7f908d3f49b4f53e7f658071aff5410
- [Domain] humanrights.co[.]ke
- [Domain] police.co[.]ke
Full Story: https://www.genians.co.kr/blog/threat_intelligence/konni_disguise