코니(Konni), 병원관련 소송 답변 문서로 위장한 APT 공격 등장
2019-12-12 • ESTSecurity • Konni, an APT attack disguised as a document responding to a hospital-related lawsuit •
ESTsecurity analyzed a Konni-attributed APT case involving a malicious Hangul document themed around a legal dispute involving a Gwangju plastic surgery clinic. The report assesses that the document was likely delivered through spear phishing and used HWP content as the initial attack vector. The source references malicious script content and WHOIS-style infrastructure data, but the core evidence is the malicious document and its use by the Konni cluster. Defenders should treat the provided sample and infrastructure details as report-specific indicators while filtering out registrar and reference-domain noise.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | rambler.ru | 2019-12-12 | 2026-04-17 |
| HASH | bbde7c694faf6b450adbfc8efe88a41a | 2019-12-12 | 2019-12-12 |
| HASH | 296bd6eb2ca90321bbef5f5f4cfc10ec | 2019-12-12 | 2019-12-12 |
| [email protected] | 2019-12-12 | 2019-12-12 | |
| [email protected] | 2019-12-12 | 2019-12-12 | |
| DOMAIN | nottingham39483.com | 2019-12-12 | 2019-12-12 |
| DOMAIN | error-naver.com | 2019-12-12 | 2019-12-12 |
| DOMAIN | error-hanmail.net | 2019-12-12 | 2019-12-12 |
| DOMAIN | kan-smiko.com | 2019-12-12 | 2019-12-12 |
| DOMAIN | down-error2.com | 2019-12-12 | 2019-12-12 |
| DOMAIN | mallesr.com | 2019-12-12 | 2019-12-12 |
| IPv4 | 198.252.103.74 | 2019-12-12 | 2019-12-12 |
| IPv4 | 198.252.102.112 | 2019-12-12 | 2019-12-12 |
| IPv4 | 27.255.81.59 | 2019-12-12 | 2019-12-12 |
| IPv4 | 45.58.121.194 | 2019-12-12 | 2019-12-12 |
| IPv4 | 172.96.186.193 | 2019-12-12 | 2019-12-12 |