Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
Why do Asian hackers disguise themselves as other groups and what methods do they use to do this?
Cybersecurity experts at Qi An Xin discovered malicious LNK files targeting users in South Korea. Files were unpacked at startup using decoy documents and VB scripts. One of these documents was supposedly a guide on how to conduct email security checks.
Initially, experts suggested that the attack comes from the North Korean group APT37, which has repeatedly used a similar method of distributing malware. However, a detailed analysis of the scripts and addresses of the management servers revealed a link between the attackers and the equally North Korean Konni group.
Using LNK files in their attacks, which are essentially ordinary Windows shortcuts and have recently been used by a variety of threat actors, the Konni group is obviously trying to disguise its activity as the actions of other hacker associations.
In the malware campaign reviewed by the researchers, Konni scripts activated via LNK files performed the following actions:
Analysis of the detected malware showed that the methods used were similar to previously published samples also associated with Konni. In particular, the methods of hiding the code, the principle of sending data to the C2 server, as well as the details of the technical implementation coincide.
This indicates a possible connection between Konni and other East Asian groups, such as APT37 and Kimsuky, which use similar methods to hide malicious code inside LNK files, as well as distribute decoy files to increase the effectiveness of attacks.
Thus, the analyzed attack demonstrates both a change in the tactics of the Konni group itself, and a trend towards convergence of methods and exchange of best practices between various APT groups in the Asian region.
To protect themselves from such attacks, experts recommend that users follow several basic rules:
The detected activity of the Konni hacker group indicates the constant development of cybercriminal tactics. Using social engineering through decoy documents, distributing malware through LNK files, and sharing best practices with other APT groups — this set of techniques is very effective and dangerous.
Although the main recommendations of experts are relatively simple, the reality is that more and more threats can bypass the protection of ordinary users. Therefore, companies need to actively invest both in technical solutions such as new-generation antivirus programs, and in raising staff awareness of various types of cyber attacks.
Non-system protection is no longer sufficient, so a truly integrated approach is needed.
Cybersecurity experts at Qi An Xin discovered malicious LNK files targeting users in South Korea. Files were unpacked at startup using decoy documents and VB scripts. One of these documents was supposedly a guide on how to conduct email security checks.
Initially, experts suggested that the attack comes from the North Korean group APT37, which has repeatedly used a similar method of distributing malware. However, a detailed analysis of the scripts and addresses of the management servers revealed a link between the attackers and the equally North Korean Konni group.
Using LNK files in their attacks, which are essentially ordinary Windows shortcuts and have recently been used by a variety of threat actors, the Konni group is obviously trying to disguise its activity as the actions of other hacker associations.
In the malware campaign reviewed by the researchers, Konni scripts activated via LNK files performed the following actions:
- Set tasks in the Windows scheduler to run malicious code periodically. This allowed you to bypass the removal of the main files and maintain constant control over the infected system.
- We collected various information about the system, including a list of processes, configuration information, and the contents of user folders.
- They sent the collected data to the attackers command server.
Analysis of the detected malware showed that the methods used were similar to previously published samples also associated with Konni. In particular, the methods of hiding the code, the principle of sending data to the C2 server, as well as the details of the technical implementation coincide.
This indicates a possible connection between Konni and other East Asian groups, such as APT37 and Kimsuky, which use similar methods to hide malicious code inside LNK files, as well as distribute decoy files to increase the effectiveness of attacks.
Thus, the analyzed attack demonstrates both a change in the tactics of the Konni group itself, and a trend towards convergence of methods and exchange of best practices between various APT groups in the Asian region.
To protect themselves from such attacks, experts recommend that users follow several basic rules:
- Use caution when working with files from suspicious or unverified sources. This is especially true for messages from social networks and email attachments.
- Make regular backups of important data for quick recovery in case of infection.
- Install all security updates from software developers in a timely manner, as they often close vulnerabilities exploited by intruders.
The detected activity of the Konni hacker group indicates the constant development of cybercriminal tactics. Using social engineering through decoy documents, distributing malware through LNK files, and sharing best practices with other APT groups — this set of techniques is very effective and dangerous.
Although the main recommendations of experts are relatively simple, the reality is that more and more threats can bypass the protection of ordinary users. Therefore, companies need to actively invest both in technical solutions such as new-generation antivirus programs, and in raising staff awareness of various types of cyber attacks.
Non-system protection is no longer sufficient, so a truly integrated approach is needed.
