Democratic People's Republic of Korea claims to get got conducted the commencement examination of an intercontinental ballistic missile (ICBM), the Hwasong-14, on 3rd July, too US officials believe the dry reason may get got fired a brand-new missile that has non been seen before.
Now, simply a hateful solar daytime afterwards the examination missile launch, hackers get got started utilizing the tidings to target people interested inwards North Korean missile arsenal that has progressed over the decades from unsmooth artillery rockets to testing what the dry reason claims long-range missiles that could smasher targets inwards the United States.
Security researchers at Talos Intelligence get got discovered a novel malware crusade that started on fourth July to target victims amongst KONNI, an unknown Remote Access Trojan (RAT) that has been inwards operate for over iii years.
The KONNI malware is a Remote Access Trojan designed to pocket files, tape keystrokes, perform screenshots, perish the organisation information, including hostname, IP address, username, OS version too installed software, equally good equally execute malicious code on the infected computer.
How Does the KONNI Malware Work?
The hackers operate an e-mail attachment equally the initial infection vector to deliver the Trojan through an executable file, which when opened displays an MS Office document that disguised equally an article well-nigh the examination missile launch.
However, the content of the document is copy/pasted from an article published on July 3rd yesteryear South Korean Yonhap News Agency.
In reality, the malicious executable drops 2 unlike versions of KONNI: event.dll and errorevent.dll.
On 64-bit versions of Windows, both binaries are dropped, spell simply errorevent.dll is dropped on 32-bit versions of Windows.
The dropped malware is thus right away executed to "ensure that the malware persists too is executed on rebooting the compromised system," the researchers say.
C&C Server Disguises equally a Legitimate Climbing Club Website
The malware uses a novel Command too Control server hosted on a website that disguises equally a legitimate climbing club, but the site does non truly incorporate whatsoever existent text, but the default text of the CMS (Content Management System).
The C&C traffic of the malware too takes house as "HTTP post requests to spider web pages hosted equally /weget/download.php, /weget/uploadtm.php or /weget/upload.php on the domain itself."
In addition, the website too contains a contact department amongst an address inwards USA, but the map below the address points to a place inwards Seoul, South Korea.
"The threat actors associated amongst KONNI typically operate decoy documents relating to North Korea, too this crusade is no exception. However, inwards contrast to the convincing decoy document lifted from a 3rd party, the content of the decoy website hosted on the CnC server does non await legitimate," the researchers concluded.
"Nevertheless, this threat histrion continues to rest active too continues to prepare updated versions of their malware. Organizations which may get got an involvement inwards the contents of this decoy document too that used inwards previous campaigns should ensure that they are adequately protected against this too subsequent campaigns."So, my advice for users to rest protected from such malware is ever live on suspicious of uninvited documents sent over an e-mail too never click on links within those documents unless verifying the source.
Additionally, hold your systems too antivirus updated to protect against whatsoever latest threat.
Share This :
comment 0 Comments
more_vert