The North Korean hacker group Konni (Opal Sleet, TA406) is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector.
Believed to be associated with APT37 and Kimsuky activity clusters, Konni has been active since at least 2014 and has been seen targeting organizations in South Korea, Russia, Ukraine, and various countries in Europe.
Based on samples analyzed by Check Point researchers, the threat actor's latest campaign focuses on targets in the Asia-Pacific region, as the malware was submitted from Japan, Australia, and India.
The attack begins with the victim receiving a Discord-hosted link that delivers a ZIP archive containing a PDF lure and a malicious LNK shortcut file.
The LNK runs an embedded PowerShell loader that extracts a DOCX document and a CAB archive containing a PowerShell backdoor, two batch files, and a UAC bypass executable.
Launching the shortcut file causes the DOCX to open and to execute one batch file included in the cabinet file.
The lure used in the phishing attack
Source: Check Point
The lure DOCX document suggests that the hackers want to compromise development environments, which could provide them "access to sensitive assets, including infrastructure, API credentials, wallet access, and ultimately cryptocurrency holdings."
The first batch file creates a staging directory for the backdoor and the second batch file, and creates an hourly scheduled task masquerading as a OneDrive startup task.
... continue reading