Security News > 2022 > January > North Korean Hackers Return with Stealthier Variant of KONNI RAT Malware

A cyberespionage group with ties to North Korea has resurfaced with a stealthier variant of its remote access trojan called Konni to attack political institutions located in Russia and South Korea.
"The authors are constantly making code improvements," Malwarebytes researcher Roberto Santos said.
"Their efforts are aimed at breaking the typical flow recorded by sandboxes and making detection harder, especially via regular signatures as critical parts of the executable are now encrypted."
Most recent intrusions staged by the group, believed to be operating under the Kimsuky umbrella, involved targeting the Russian Federation's Ministry of Foreign Affairs with New Year lures to compromise Windows systems with malware.
The infections, as with other attacks of this kind, starts with a malicious Microsoft Office document that, when opened, initiates a mult-stage process that involves several moving parts that help the attackers elevate privileges, evade detection, and ultimately deploy the Konni RAT payload on compromised systems.
On top of that, the various support files dropped to facilitate the compromise are also now encrypted using AES. "Cleverly, they reused the algorithm used for string protection, making the file layout identical to the protected strings layout, as they appear in raw memory," Santox detailed.
News URL
https://thehackernews.com/2022/01/north-korean-hackers-return-with.html
Related news
- North Korean hackers spotted using ClickFix tactic to deliver malware (source)
- North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware (source)
- North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack (source)
- Chinese hackers use custom malware to spy on US telecom networks (source)
- North Korean hackers linked to $1.5 billion ByBit crypto heist (source)
- OpenAI bans ChatGPT accounts used by North Korean hackers (source)
- North Korean Hackers Steal $1.5B in Cryptocurrency (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion in Bybit Heist (source)