This article discusses a malware linked to the North Korean hacking group Konni, which is disguised as a file related to virtual asset operators’ anti-money laundering guidelines. The malware utilizes PowerShell commands embedded within a LNK file to execute further malicious activities, including data theft and persistence techniques.
Affected: virtual currency sector, Windows systems
Affected: virtual currency sector, Windows systems
Keypoints :
- Malware disguised as a virtual asset regulatory document executed by the Konni hacking group.
- Malware filename: ‘가상자산사업자 자금세탁방지 감독 방향.lnk’ with a size of 2 MB.
- Includes encoded PowerShell commands to execute malicious activities upon running.
- Employs XOR encryption techniques for hidden payloads.
- Leverages persistence methods through registry modifications and LNK file manipulation.
- Targets collection of system and user file information for theft.
- Upload of sensitive information to remote servers for potential exploitation.
MITRE Techniques :
- TA0001 – Initial Access: Using LNK file to initiate malware execution.
- TA0002 – Execution: Executes PowerShell commands through the LNK file.
- TA0006 – Credential Access: Collects system info and user files for potential credential acquisition.
- TA0007 – Defense Evasion: Uses XOR encryption to obscure malicious payloads and employs tactics to hide execution.
- TA0010 – Persistence: Modifies registry entries under HKCU to ensure malware executes on startup.
- TA0011 – Collection: Gathers user file information from Downloads, Documents, and Desktop folders.
- TA0013 – Exfiltration: Uploads collected data to remote servers for data leakage.
Indicator of Compromise :
- [File Name] 가상자산사업자 자금세탁방지 감독 방향.lnk
- [MD5] c09d17e968b250cadd66ec000d656d19
- [SHA-1] 11f11d2ae39a35e433fe9c8f1b6a79798c447bc7
- [SHA-256] 4a6c23e76524364fe9b9f5ecd46dc73e7714cac93849a380f0d1b746fae3650d
- [URL] hxxp://kerkenraad(.)com/src/upload(.)php
Full Story: https://wezard4u.tistory.com/429413