A previously unknown remote administration tool has been uncovered after evading detection by the security community for more than three years. Lately, its targets are associated with North Korea affairs.
Cisco Talos, which discovered the malware, has named it KONNI. It allows the operator to steal files, keystrokes, perform screenshots and execute arbitrary code on the infected host. The last two campaigns by KONNI suggests that the targets are public organizations, Talos said. The investigation revealed targeted email addresses, phone numbers and contacts of members of official organizations such as United Nations, UNICEF and embassies linked to the Hermit Kingdom.
The actor has used social engineering and an email attachment for the entire three years being active, over the course of four campaigns, though the functionality of KONNI has evolved from simply being an information stealer without remote administration to what it is today. Talos noted that the different versions contain copy/pasted code from previous versions, and, the new version searches for files generated by previous versions, meaning the malware has been used several times against the same targets.
The last campaign was started a few days ago and is still active, and the infrastructure remains up and running.
“The RAT has remained under the radar for multiple years. An explanation could be the fact that the campaign was very limited nature, which does not arouse suspicion,” Cisco said in an analysis. “This investigation shows that the author has evolved technically (by implementing new features) and in the quality of the decoy documents. The campaign of April 2017 used pertinent documents containing potentially sensitive data. Moreover the metadata of the Office document contains the names of people who seems to work for a public organization. We don't know if the document is a legitimate compromised document or a fake that the attacker has created in an effort to be credible.”
Researchers added, “Clearly the author has a real interest in North Korea, with three of the four campaigns are linked to North Korea.”