KONNI

Malware updated a month ago (2024-11-29T14:46:23.484Z)
Download STIX
Preview STIX
Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian Embassy in Indonesia, and various South Korean enterprises. The malware typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The Konni APT utilizes Russian-language weaponized documents as part of its attack strategy, according to multiple reports from Security Affairs. This method of attack is particularly insidious as it uses legitimate-seeming documents to trick users into granting the malware access to their systems. These documents are often disguised as important communications or files, luring unsuspecting victims into opening them and inadvertently initiating the malware infection process. Recently, the cyberespionage activities of the Konni group have escalated, targeting Russia and South Korea more aggressively, as reported by the South Korean cybersecurity firm Genians. This increase in attacks coincides with a general rise in cyber threats globally, including those in Mexico, business email compromise scams warned by the FBI, and various breaches disclosed by Avis, Slim CD, Medicare, and Fortinet. It underscores the importance of robust cybersecurity measures to protect against such sophisticated threats.
Description last updated: 2024-09-12T20:15:41.794Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Kimsuky is a possible alias for KONNI. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, which
3
Ta406 is a possible alias for KONNI. TA406, also known as the Konni Group or Kimsuky, is a state-sponsored cybercrime organization based in North Korea. This threat actor has been implicated in numerous cyber espionage activities, targeting entities such as news media organizations, academic institutions, and think tanks. The group gai
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Apt
Phishing
Malware
Fortiguard
Russia
Vulnerability
Decoy
Korean
Trojan
State Sponso...
Cybercrime
Exploits
Exploit
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Amadey Malware is associated with KONNI. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT37 Threat Actor is associated with KONNI. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and Unspecified
4
The Sandworm Threat Actor is associated with KONNI. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cUnspecified
3
The Konni Group Threat Actor is associated with KONNI. The Konni Group, also known as TA406, is a threat actor believed to be associated with North Korean cyberespionage activities. According to cybersecurity firm DuskRise, the group has been involved in sophisticated cyberattacks, including one where they compromised a foreign ministry email account toUnspecified
2
The APT29 Threat Actor is associated with KONNI. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-38831 Vulnerability is associated with KONNI. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabilUnspecified
3
Source Document References
Information about the KONNI Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
3 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago
Securityaffairs
10 months ago
InfoSecurity-magazine
10 months ago