Comnie

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Comnie is a custom malware family that has been active since at least April 2013, first identified by Sophos. This malicious software is used in targeted attacks and is notable for its unique method of obtaining command and control (C2) information through online blogs and third-party services. The malware infiltrates systems primarily via malicious macros with varying file names and decoy subject matters. It was observed that the same malicious macros were employed to deliver Comnie to targets in Taiwan as early as 2015. The Comnie malware gained prominence due to its targeted attacks on organizations in the East Asia region, particularly South Korea and Taiwan. These attacks have been closely monitored by Unit 42, who noted the use of a remote backdoor malware family named Comnie. Comparisons between the macro code extracted from Comnie dropper and a financial institution's penetration test sample indicate sophisticated techniques used by the attackers. They leverage malicious macros to initially hide decoy documents, which are only revealed when the victim enables macros. Comnie also exhibits advanced functionality, allowing the attacker to provide and execute a batch script (BAT), executable file (EXE), or dynamic-link library (DLL). In its initial stages, Comnie sends specific requests and attempts to connect to an IP address using specified ports. Interestingly, Comnie uses GitHub to store its C2 information, demonstrating its ability to leverage popular platforms for malicious purposes.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Comnie Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Comnie Continues to Target Organizations in East Asia