북한 Konni 그룹의 문서형 악성코드 분석
2023-01-30 • Somansa • Analysis of document-based malware from North Korea's Konni group •
https://www.somansa.com/wp-content/uploads/2023/02/konni_202301.pdf
Attachments
konni_202301.pdf (1 MB)
Somansa analyzed document-based malware attributed to the North Korean Konni group, which has targeted South Korea and other regions since 2017. The report says Konni used HWP documents in earlier attacks against Korean companies and institutions, but shifted to Microsoft Office documents in 2022. Recent lures included cryptocurrency investment, major-accident briefings, and hospital-litigation themes, with RTF remote-template injection used so documents could fetch malicious content from external URLs after opening.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | 4895750.c1.biz | 2022-12-07 | 2024-09-05 |
| DOMAIN | 5645780.c1.biz | 2022-12-07 | 2023-04-11 |
| HASH | a703eebbd981a5ac683099495076228… | 2023-01-30 | 2023-01-30 |
| HASH | 5a961d2f53fe1427138f7811d83f8b9… | 2023-01-30 | 2023-01-30 |
| HASH | d0068a7c62bafd0078829a0597fa5cc… | 2023-01-30 | 2023-01-30 |
| HASH | 9d8d51810bfafb4800a34daa40d0c00… | 2023-01-30 | 2023-01-30 |
| HASH | 4cfffd34a6f7eae248882d0b913ff2c… | 2023-01-30 | 2023-01-30 |
| HASH | 52df0021852e7286413c6c91cb76b53… | 2023-01-30 | 2023-01-30 |
| HASH | c3e07a5cc50f57bc7d4c519966f8a82… | 2023-01-30 | 2023-01-30 |
| HASH | 9e916c4f58334aafcb033705e7fac6a… | 2023-01-30 | 2023-01-30 |