KONNI

Malware updated 2 months ago (2024-09-12T20:18:08.267Z)

Download STIX

Preview STIX

Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian Embassy in Indonesia, and various South Korean enterprises. The malware typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The Konni APT utilizes Russian-language weaponized documents as part of its attack strategy, according to multiple reports from Security Affairs. This method of attack is particularly insidious as it uses legitimate-seeming documents to trick users into granting the malware access to their systems. These documents are often disguised as important communications or files, luring unsuspecting victims into opening them and inadvertently initiating the malware infection process. Recently, the cyberespionage activities of the Konni group have escalated, targeting Russia and South Korea more aggressively, as reported by the South Korean cybersecurity firm Genians. This increase in attacks coincides with a general rise in cyber threats globally, including those in Mexico, business email compromise scams warned by the FBI, and various breaches disclosed by Avis, Slim CD, Medicare, and Fortinet. It underscores the importance of robust cybersecurity measures to protect against such sophisticated threats.

Description last updated: 2024-09-12T20:15:41.794Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Kimsuky is a possible alias for KONNI. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group that has been active since it was first spotted by Kaspersky researchers in 2013. The group is notorious for its cyber espionage activit	3
Ta406 is a possible alias for KONNI. TA406, also known as the Konni Group or Kimsuky, is a state-sponsored cybercrime organization based in North Korea. This threat actor has been implicated in numerous cyber espionage activities, targeting entities such as news media organizations, academic institutions, and think tanks. The group gai	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Rat

Apt

Phishing

Malware

Fortiguard

Russia

Vulnerability

Decoy

Korean

Trojan

State Sponso...

Cybercrime

Exploits

Exploit

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Amadey Malware is associated with KONNI. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includ	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT37 Threat Actor is associated with KONNI. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and	Unspecified	4
The Sandworm Threat Actor is associated with KONNI. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	Unspecified	3
The Konni Group Threat Actor is associated with KONNI. The Konni Group, also known as TA406, is a threat actor believed to be associated with North Korean cyberespionage activities. According to cybersecurity firm DuskRise, the group has been involved in sophisticated cyberattacks, including one where they compromised a foreign ministry email account to	Unspecified	2
The APT29 Threat Actor is associated with KONNI. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-38831 Vulnerability is associated with KONNI. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil	Unspecified	3

Source Document References

Information about the KONNI Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	2 months ago	Breach Roundup: Mexico in Hacker Spotlight
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	5 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	8 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 463 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 462 by Pierluigi Paganini
InfoSecurity-magazine	9 months ago	RATs Spread Via Fake Skype, Zoom, Google Meet Sites