This article discusses a new malware developed by the North Korean hacking group Konni APT, which targets government agencies and organizations in Korea and the United States. The malware employs various techniques to evade detection, including file manipulation, remote control capabilities, and the use of .LNK files for automatic execution. Affected: Konni APT, government agencies in Korea and the USA, individual users.
Keypoints :
- The malware is titled “Error Correction Submission Request Notification (National Tax Collection Act Implementation Rules).hwp.lnk”.
- Developed by Konni APT, a North Korean hacking group targeting government and military organizations.
- The malware leverages LNK files to execute malicious code automatically upon user interaction.
- Powershell scripts included in the malware facilitate file exploration and remote command execution.
- Involves file manipulation, encryption, and data exfiltration techniques to hide evidence post-attack.
MITRE Techniques :
- Execution (T1203) – Powershell commands are used to search for and execute rshell.exe for remote access.
- Persistence (T1547) – The malware creates and executes a VBS script placed in the C:UsersPublicDocuments directory to ensure it runs with Windows startup.
- Defense Evasion (T1140) – The malware deletes original payloads after execution using the Remove-Item command to avoid detection.
- Collection (T1005) – It collects user files and system information for exfiltration through HTTP requests to an attacker-controlled server.
- Impact (T1499) – The malware removes traces of its activity to prevent forensic analysis.
Indicator of Compromise :
- [File Path] %systemroot%System32WindowsPowershell*.exe
- [File Path] C:UsersPublicDocumentsstart.vbs
- [File Path] C:UsersPublicelsewhere.cab
- [File Name] rshell.exe
- [File Name] elsewhere.cab
Full Story: https://wezard4u.tistory.com/429389