FOCUS MODE
EXTRACT IOC
Threat Research

North Korea KONNI Malware – Virtual Asset Operators Inspection Plan Meeting Presentation_FN2.hwp.lnk (2025.1.23)

iocOne
North Korea KONNI Malware – Virtual Asset Operators Inspection Plan Meeting Presentation_FN2.hwp.lnk (2025.1.23)
North Korean hacking group KONNI has developed malware disguised as a document related to cryptocurrency regulation. The malware executes malicious PowerShell commands, collects personal data, and uploads it to remote servers. The information gathered includes system and file information, enabling attackers to identify the system environment and further exploit it. Affected: North Korean hacking group, individual victims, organizations involved in cryptocurrency.

Keypoints :

  • North Korean hacking group KONNI created malware disguised as a legitimate document.
  • The malware is delivered as a LNK file that executes PowerShell commands upon opening.
  • It searches for the presence of a remote shell executable (rshell.exe) and runs it to enable remote access.
  • The PowerShell code includes functions for file manipulation, encryption, and remote file uploads.
  • Suspicious files are dropped in public folders, and sensitive data is collected and sent to remote servers.
  • The malware utilizes scripts to gather system information and file lists from user directories.
  • Attackers are able to collect and upload personal information, increasing the risk of identity theft.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: PowerShell commands are used for application layer network communication.
  • T1086 – PowerShell: PowerShell is used to run malicious scripts and access system files.
  • T1059.001 – Command and Scripting Interpreter: Command-line arguments are exploited to execute the PowerShell scripts.
  • T1071 – Application Layer Protocol: Used for data upload to remote servers from compromised systems.
  • T1049 – System Network Connections Discovery: Gathers information about network connections and system configurations.

Indicator of Compromise :

  • [MD5] e37c8f6aba686aab3d7ecedbd1d0ef43
  • [SHA-256] 5a8ecafbd5809000334bf5b940a497d0ed750dd11da8a03796f5ce53257cc892
  • [URL] hxxps://teamfuels(.)com/modules/inc/get(.)php?ra=iew&zw=lk0100
  • [IP Address] example-ip (specific IP not mentioned, placeholder used)
  • [File Name] 44462422.bat

Full Story: https://wezard4u.tistory.com/429410

Tags: EXFILTRATION, DISCOVERY, PAYLOAD, EXPLOIT, PASSWORD, GOVERNMENT