Konni Group Attack Detection: North Korean Hackers Leverage russian-Language Weaponized Word Document to Spread RAT Malware

Defenders observe a new phishing attack, in which adversaries weaponize a russian-language Microsoft Word document to distribute malware that can extract sensitive data from targeted Windows instances. Hackers behind this offensive campaign belong to a North Korean group dubbed Konni, which shares similarities with a cyber-espionage cluster tracked as Kimsuky APT. 

Detect Konni Group Attacks

The long-run offensive campaign by the North Korean Konni APT group aimed at RAT malware distribution and data exfiltration reminds defenders of the escalating risks of phishing attacks that are continuously causing a stir in the cyber threat arena. SOC Prime Platform provides a set of new Sigma rules developed by Threat Bounty author, Zaw Min Htun, to detect the latest Konni campaign. All detection algorithms are compatible with dozens of SIEM, EDR, XDR, and Data Lake technologies to be used across multiple technologies and are mapped to the MITRE ATT&CK® framework:

Possible Evasion of Konni Campaign Activity through Detection of Registry Settings (via registry_event)

Possible Konni’s Campaing Malware Execution Flow via Registry Key (via process_creation)

These Sigma rules address the Defense Evasion tactic with the Modify Registry technique  (T1112).

Suspicious Konni’s C2 Connection Attempt Detected through the Identification of Associated URL (via proxy)

This detection addresses the Command and Control tactic with the corresponding Application Layer Protocol (T1071) technique and Web Protocols (T1071.001) sub-technique.

Detection Engineers and Threat Hunters striving to accelerate their cyber defense skill set while sharing their expertise with peers are welcome to join the ranks of SOC Prime’s Threat Bounty Program. To help your organization stay ahead of attacks linked to the Konni APT group, rely on the entire collection of relevant Sigma rules augmented with CTI and actionable metadata. Click  Explore Detections to drill down to the list of SOC content for Konni-related attacks. 

Explore Detections

North Korean Konni APT Group Attack Analysis

FortiGuard Labs uncovered a novel phishing campaign attributed to a North Korean threat actor Konni that takes advantage of a harmful russian-language Word document to spread malware on the impacted systems. Konni APT group is notorious for its sophisticated cyber-espionage campaigns aimed at data exfiltration. Adversaries leverage multiple malware samples and tools, continuously evolving their tactics to for detection evasion, which poses growing challenges to defenders. 

Konni group has been observed exploiting the WinRAR vulnerability (CVE-2023-38831) and obfuscating Visual Basic scripts to spread Konni RAT and a Windows Batch script aimed to steal sensitive data from the compromised machines. The ongoing campaign, which has been active for an extended period, takes advantage of RAT malware capable of extracting sensitive data and executing commands on impacted devices. Hackers apply multiple approaches for gaining initial access, delivering payloads, and establishing persistence within the networks of targeted victims.

In the latest campaign, Konni leverages an advanced toolset embedded in a harmful Word document through batch scripts and DLL files. The payload includes a User Account Control (UAC) bypass and encrypted communication with a C2 server, giving attackers the green light to run privileged commands. 

With the increasing number of attacks attributed to North Korean APT groups, global organizations fuel the need for vigilant cybersecurity practices and proactive threat detection measures. By leveraging Uncoder AI, the industry-first IDE for detection engineering, security engineers can write highly resilient detection code faster and smarter, as well as translate it to 65 security language formats at sub-second performance.