Konni Group Emerges as New North Korean Cyber Threat

Recent Cybersecurity Report Reveals New Details on South Korean Attacks

The recent report of the researchers in the field of cybersecurity reveals details of the last attacks on South Korean objects. Particular attention is paid to the activities of hacker groups of APT37 and Konni, allegedly related to North Korea.

Groups of North Korean origin have long chosen the cryptocurrency sector as one of their targets, with the main threat coming from the Lazarus group. However, the report indicates that Konni has now entered the scene, employing new techniques, including in relation to non-South Korean victims.

As part of the new campaign, attackers are exploiting a previously unused vulnerability in the Archiver Winrar – CVE-2023-38831. When the victim attempts to open an archived HTML file, the malicious code is activated, granting remote access to the system.

Another notable aspect is the complex mechanism employed to bypass security protocols. Once activated, the malicious software determines the operating system of the targeted device — whether it is 64-bit or 32-bit. The code then establishes a connection with the server and loads additional instructions encoded in BASE64 format. These instructions are converted into an executable file and launched.

Next, the program checks for any remote sessions on the computer and identifies the version of the operating system installed. Based on this data, the code selects an appropriate method to bypass User Account Control (UAC) and gain elevated privileges.

The attacks also utilize dynamic loading of additional modules, enabling quick adaptation and code modernization. At the final stage of the attack process within the system, a hidden service named “Remote Database Service Update” is created, making virus detection and subsequent incident

/Reports, release notes, official announcements.