North Korean Group Konni Targets Cryptocurrency Sector
North Korean-affiliated groups have historically targeted the cryptocurrency domain, with the Lazarus group being the primary culprit. Yet, recent findings from the Chinese research group, CTFIOT, suggest a potential new threat from another North Korean group, Konni. Unlike Lazarus, Konni is diversifying its targets, reaching beyond South Korean victims.
In their latest campaign, the attackers are capitalizing on an unexplored vulnerability in the WinRAR archiver, known as CVE-2023-38831. This vulnerability is triggered when victims access a malicious archived HTML file, subsequently providing the attackers remote access to their systems.
Upon infiltration, the malware discerns if the system operates on a 64-bit or 32-bit architecture. It then communicates with its server to download further Base64-encoded directives, which it decodes and executes.
The malware also examines the system for any active remote sessions and its OS version. This information guides it in selecting an appropriate UAC (User Account Control) bypass technique, granting it heightened privileges.
What's noteworthy about Konni's approach is its dynamic module-loading, which ensures swift adaptability and code upgrades. To obscure its tracks, at the culmination of the attack, the malware sets up a concealed system service named “Remote Database Service Update”, complicating both detection and subsequent investigative efforts.
About this post
Viewed: 210 times
No comments have been added for this post.
You must be logged in to make a comment.