一路向北:Konni APT组织以“朝鲜局势”相关主题为诱饵对俄进行持续定向攻击活动
2021-05-21 • Threat Book • All the way north: The Konni APT organization uses themes related to the "North Korea situation" as bait to carry out continuous targeted attacks against Russia. •
ThreatBook reports a Konni APT campaign using North Korea-related geopolitical lures against Russian-facing organizations. The spear-phishing documents used Russian-language themes such as sanctions’ impact on the DPRK situation and proposals for resolving the Korean crisis, while document metadata and code-page artifacts suggested a Korean-language editing environment. Macro and script stages wrote JavaScript to the victim host, downloaded multi-stage payloads, installed mssvps.dll as a ComSysApp service, and used C2 infrastructure including dragon-pig.onlinewebshop.net, little-dragon.mypressonline.com, and baboivan.scienceontheweb.net. The backdoor collected system and process information, uploaded files, updated C2 configuration, and executed attacker commands.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 7b13aa205a32cccb8d149e72cadeaeb2 | 2021-05-21 | 2021-05-21 |
| HASH | 879b5fca0f4e3d1769e37e738f3b89b… | 2021-05-21 | 2021-05-21 |
| HASH | b89e79ee9c4834177cbabba9b265910… | 2021-05-21 | 2021-05-21 |
| HASH | 61594306ad5492e1d61f4f42387066a7 | 2021-05-21 | 2021-05-21 |
| URL | http://dragon-pig.onlinewebshop… | 2021-05-21 | 2021-05-21 |
| URL | http://baboivan.scienceontheweb… | 2021-05-21 | 2021-05-21 |
| DOMAIN | little-dragon.mypressonline.com | 2021-05-21 | 2021-05-21 |
| DOMAIN | dragon-pig.onlinewebshop.net | 2021-05-21 | 2021-05-21 |
| DOMAIN | baboivan.scienceontheweb.net | 2021-05-21 | 2021-05-21 |