Security researchers at Cisco Talos team have found a malware that target organizations linked to North Korea. For last three years, that malware was existed and undected. The malware was dubbed as "KONNI" and used in targeted attacks. It was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.
“Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. ” states the analysis published by Talos.
According to Talos, several campaigns leveraged the KONNI malware this piece of malware over the past years. The first attacks observed by Talos are likely launched in September 2014, threat actors used an SRC file as a dropper for two other files: a picture that served as a decoy and the KONNI executable. The 2014 campaign involved a variant of the KONNI malware that was designed to be executed only once and steal information from the targets (i.e. keystrokes, clipboard content, and data associated with the Chrome, Firefox and Opera web browsers). The decoy documents, titled “N. Korean hydrogen bomb can wipe out Manhattan: propaganda outlet,” referenced the tension between North Korea and the US, and they were titled “N. Korean hydrogen bomb can wipe out Manhattan: propaganda outlet.” The 2016 attacks used a malware with a different architecture and implemented a new set of features that allowed attackers to upload and download files, and execute arbitrary commands on the infected system.
“Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. ” states the analysis published by Talos.
According to Talos, several campaigns leveraged the KONNI malware this piece of malware over the past years. The first attacks observed by Talos are likely launched in September 2014, threat actors used an SRC file as a dropper for two other files: a picture that served as a decoy and the KONNI executable. The 2014 campaign involved a variant of the KONNI malware that was designed to be executed only once and steal information from the targets (i.e. keystrokes, clipboard content, and data associated with the Chrome, Firefox and Opera web browsers). The decoy documents, titled “N. Korean hydrogen bomb can wipe out Manhattan: propaganda outlet,” referenced the tension between North Korea and the US, and they were titled “N. Korean hydrogen bomb can wipe out Manhattan: propaganda outlet.” The 2016 attacks used a malware with a different architecture and implemented a new set of features that allowed attackers to upload and download files, and execute arbitrary commands on the infected system.
No comments:
Post a Comment