If you’re anywhere in the world right now you likely know about tensions with North Korea and how the current situation is escalating quickly. While most would let states handle their affairs, an unknown hacker group has specifically targeted North Korea. The hackers have unleashed Konni Malware on North Korea which is a remote access trojan (RAT). It has the ability to control systems and devices that it infects. There have so far been two different campaigns which have infected North Korean companies.
The first malware campaign was launched on July 6th shortly after North Korea’s missile tests according to Talos Intelligence. The timing may seem to be a response to the tests itself and the escalating tensions with North Korea. More recently another campaign against North Korea was carried out on Tuesday by the same group with the same malware.
Konni’s Delivery Method and Capabilities
The recent Konni campaign is transmitted with a Word document which contains a news article published by Yonhap. The Microsoft word file is infected and is executed upon being opened. Once the malware is executed, then communication with the command and control server is established, and the malware waits for further instructions. Meaning the user of the PC will not notice and continue on with their day. The malware does more than simple communication, it’s also able to screen capture and log all keystrokes. Which provides credentials and sensitive information to the malicious actors behind the scenes.
Also Entering: Inexsmar
Thought that was all? Well another campaign against North Korea was also launched called Inexsmar. This malware is built off of the DarkHotel malware and specifically targets political personalities. The payload does not exploit zero-day vulnerabilities, instead it’s delivered directly to the target. This is also on a Microsoft word file which is disguised as a directory list instead of an article. Within the lists are the names and contact information for North Korean embassies, the United Nations, and UNICEF.
Intentions & Impacts
While there has been no official announcement from the hackers responsible, the technology used provides us some insight. Both malware scripts have capabilities that gathers intelligence to send to the remote host. The launch of these malware attacks are also in sync with progression of North Korea’s ability to launch an intercontinental ballistic missile.
This malware is centered on human failures in cyber security, which revolve around trust and misinformation. In this situation, mistaken trust places an entire network at risk of giving over the entire network and all communications to the attacker.
It’s important to keep an eye on what’s happening between state actors, as there will be impacts down the line for businesses and communities online. Right now, we live in a time where an individual programmer may have the ability to bring the world to a grinding halt. They also have the ability to help many people. What happens in North Korea will have ripple effects throughout the world, so stay tuned here for the latest updates.