Democratic People's Republic of Korea claims to stimulate got conducted the start exam of an intercontinental ballistic missile (ICBM), the Hwasong-14, on 3rd July, in addition to US officials believe the province may stimulate got fired a brand-new missile that has non been seen before.
Now, but a twenty-four hr menstruation later on the exam missile launch, hackers stimulate got started utilizing the tidings to target people interested inward North Korean missile arsenal that has progressed over the decades from unsmooth artillery rockets to testing what the province claims long-range missiles that could boom targets inward the United States.
Security researchers at Talos Intelligence stimulate got discovered a novel malware crusade that started on quaternary July to target victims alongside KONNI, an unknown Remote Access Trojan (RAT) that has been inward utilization for over 3 years.
The KONNI malware is a Remote Access Trojan designed to pocket files, tape keystrokes, perform screenshots, cash inward one's chips the organisation information, including hostname, IP address, username, OS version in addition to installed software, every bit good every bit execute malicious code on the infected computer.
How Does the KONNI Malware Work?
The hackers utilization an e-mail attachment every bit the initial infection vector to deliver the Trojan through an executable file, which when opened displays an MS Office document that disguised every bit an article nigh the exam missile launch.
However, the content of the document is copy/pasted from an article published on July 3rd past times South Korean Yonhap News Agency.
In reality, the malicious executable drops 2 dissimilar versions of KONNI: event.dll and errorevent.dll.
On 64-bit versions of Windows, both binaries are dropped, piece but errorevent.dll is dropped on 32-bit versions of Windows.
The dropped malware is in addition to then forthwith executed to "ensure that the malware persists in addition to is executed on rebooting the compromised system," the researchers say.
C&C Server Disguises every bit a Legitimate Climbing Club Website
The malware uses a novel Command in addition to Control server hosted on a website that disguises every bit a legitimate climbing club, but the site does non genuinely incorporate whatever existent text, but the default text of the CMS (Content Management System).
The C&C traffic of the malware likewise takes house as "HTTP post requests to spider web pages hosted every bit /weget/download.php, /weget/uploadtm.php or /weget/upload.php on the domain itself."
In addition, the website likewise contains a contact department alongside an address inward USA, but the map below the address points to a place inward Seoul, South Korea.
"The threat actors associated alongside KONNI typically utilization decoy documents relating to North Korea, in addition to this crusade is no exception. However, inward contrast to the convincing decoy document lifted from a 3rd party, the content of the decoy website hosted on the CnC server does non expect legitimate," the researchers concluded.
"Nevertheless, this threat utilization musician continues to stay active in addition to continues to railroad train updated versions of their malware. Organizations which may stimulate got an involvement inward the contents of this decoy document in addition to that used inward previous campaigns should ensure that they are adequately protected against this in addition to subsequent campaigns."So, my advice for users to stay protected from such malware is ever live on suspicious of uninvited documents sent over an e-mail in addition to never click on links within those documents unless verifying the source.
Additionally, hold your systems in addition to antivirus updated to protect against whatever latest threat.
