A cyberespionage group with ties to North Korea has resurfaced with a stealthier variant of its remote access trojan called Konni to attack political institutions located in Russia and South Korea.
“The authors are constantly making code improvements,” Malwarebytes researcher Roberto Santos said. Their efforts aim to break the usual flow of malware that is recorded in sandboxes, making it harder for detection. This includes regular signatures because the executable’s most critical components are encrypted. “
Most recent intrusions staged by the group, believed to be operating under the Kimsuky umbrella, involved targeting the Russian Federation’s Ministry of Foreign Affairs (MID) with New Year lures to compromise Windows systems with malware.
The infection process, like other types of attacks, begins with a malicious Microsoft Office file that is opened. This initiates a multi-stage process with many moving parts. These components help attackers to elevate privileges and evade detection. Finally, they deploy the Konni RAT Payload onto compromised systems.
A new addition to the backdoor’s existing capabilities is the transition from Base64 encoding to AES encryption to protect its strings and for obfuscating their true purpose. On top of that, the various support files dropped to facilitate the compromise are also now encrypted using AES.
“Cleverly, they reused the algorithm used for string protection, making the file layout identical to the protected strings layout, as they appear in raw memory,” Santox detailed.
The significant updates show how rapidly sophisticated actors can adapt their techniques and tactics to make something powerful and efficient that goes beyond security and detection.