Security experts at Securonix Threat Labs warn of targeted attacks by a North Korean hacker group. The hackers are distributing a Remote Access Trojan (RAT), which has been known since 2014 and does a lot of damage. That reports that Bleeping Computer Online Magazine. It’s about a wave of attacks on targets in Europe that has been going on for months and has so far provided no clues as to who was behind it.
Possible connections to APT28
Now is Securonix Threat Labs Safe that it is a group in direct contact with the North Korean regime or very likely acting on behalf of North Korea? “There appears to be a direct correlation between IP address, hosting provider, and hostname between this attack and historical data we’ve seen before from FancyBear/APT28,” said the report from security researchers at Securonix Threat Labs.
Other details point to APT37. This current malware campaign is therefore currently attributed to the North Korean hacker group APT37. It is aimed at high-level organizations in the Czech Republic, Poland, and other European countries. The malware Konni, a Remote Access Trojan (RAT), is used, which is able to extend the rights of the attackers and thus gain full access to their victim systems under certain circumstances.
The latest wave of attacks on the Russian Foreign Ministry
Konni has been linked to North Korean cyberattacks since 2014 and was recently discovered in a so-called spear-phishing campaign for the Russian Foreign Ministry. The current wave of attacks in the EU starts with “classic” email phishing. The hackers use a manipulated Word document to submit a file that runs a PowerShell script and launches the attack.
The focus is on companies and politicians, but private users have also been hacked. The Trojan tries to hide as much as possible to evade detection by antivirus programs until it is too late. Some manufacturers have adapted to the threat. Malwarebytes already advertises that it protects against attacks with the Konni malware.