HQ/EMEAFind out how we can help your business
The notorious threat actor Konni, formerly linked to the North Korean state-sponsored cybercriminal group Kimsuky, has allegedly increased its malicious activities by targeting Russian and South Korean entities.
Based on reports, the malicious actor uses similar tactics, techniques, and procedures (TTPs) to target various industries in Moscow and Seoul. Moreover, the attacker’s primary goal is to execute cyber espionage against infected entities.
Since at least 2021, Konni has targeted the Russian Embassy in Indonesia, the Russian Ministry of Foreign Affairs, and several undisclosed South Korean companies, including a tax law company.
One example of these campaigns is the January 2022 incident, in which Konni tried to compromise the Russian embassy officials with a malware strain distributed via email. The attack leveraged a subject bait with a greeting of New Year’s wishes. A researcher stated that the threat actor’s activity started almost a decade ago and continues today.
Konni primarily uses phishing emails to execute its cybercriminal activities in the targeted regions.
The suspected North Korean threat actor, Konni, commonly employs phishing emails to acquire initial access to targeted systems. Moreover, it frequently baits fraudulent emails about taxes, scholarships, and finance.
Konni’s proprietary remote access trojan gives it complete control over affected devices. In its operations against Russia and South Korea, the threat actor adopts similar methods to connect infected devices to hacker C2 servers.
Furthermore, it installs malicious modules on the victims’ devices via executable files in both situations, and the procedure of connecting to the C2 server is executed via internal prompts. The researchers also believe the threat actors have utilised similar patterns and attack process scenarios for years.
However, recent research revealed that the threat actor integrates unusual attack strategies to increase its efficiency and success rate.
Researchers stated that paying attention to the commonalities between the group’s activities in different nations could assist security providers in protecting companies and precisely attributing the attacks.
Lastly, organisations in the targeted countries should be wary of phishing emails, as they are the primary weapon of the malicious entity.
