It does not happen all that often that we see an instance of malware targeting North Korea specifically. After all, very little information is known about North Korea and no one wants to touch that powder keg if they can avoid it. Konni is a new type of malware targeting this country specifically, and its Remote Access Trojan has been used for over three years to steal data and profile North Korean organizations. Who is behind this attack and why are they doing this?
Anyone who has remotely been paying attention to the news in recent months knows North Korea is an unstable and nuclear power. No one knows for sure what the country’s objectives are or what type of harm they may possibly cause in the near future. The person responsible for deploying the Konni malware may know a lot more than the rest of the world. Deploying a remote access Trojan against such a dangerous nation could have all kinds of consequences.
Konni’s activity has transpired virtually unnoticed for nearly three years. It is possible Konni was deployed even earlier than that, since the investigation is still ongoing. This remote access Trojan is nothing sophisticated by any means, but it does its job fine and remained undiscovered until very recently. It is believed North Korean targets have suffered from attacks emanating from this malware at least three times in the year 2017 alone.
In fact, the most recent campaign involving Konni came on the heels of North Korea’s successful test of its missiles capable of reaching U.S. mainland targets. This does not necessarily mean the source of this malware is located in the United States, though. The malware has been on the radar of many different security research companies over the past few years. Such an illustrious project with no clear ties to any specific region understandably sparks a lot of speculation.
Konni may be linked to the DarkHotel campaign, which stole information from business travelers at luxury hotels back in 2014. Specific evidence indicates the authors of both types of malware may reside within either North or South Korea. Some experts believe Konni’s creator has ties to South Korea, although no tangible evidence has ever been provided to back up those claims.
The most disconcerting aspect of this RAT (remote access Trojan) is that it appears this malware is still evolving on a regular basis. Konni is a unique RAT in this regard, as it relies on evasive techniques, social engineering, and intelligence harvesting. It is mainly distributed through phishing emails and even comes with a decoy file to remove suspicion. Once installed, the malware runs in the background yet leaves no visual cues to users as to what is going on.
Over the course of the past three years, Konni has proven capable of deleting files, exfiltrating data, creating screenshots, uploading images to a central command & control server, and executing remote commands. Stating that this is a major threat would be a vast understatement. Despite these features, reverse engineering the RAT is still a trivial matter, as there does not appear to be any obfuscation whatsoever. Targeting North Korea is a gutsy move, but Konni seems to do the job just fine.