AutoIt 활용 방어 회피 전술의 코니 APT 캠페인 분석
2024-07-31 • Genians • Analysis of a Konni APT Campaign Using AutoIt for Defense Evasion Tactics •
Genians analyzed a Konni APT campaign that impersonated South Korean tax-related notices, including tax-evasion reports, source-of-funds explanations, and National Tax Service investigation themes. The attacks used spear-phishing emails containing ZIP archives with malicious LNK files, which invoked scripts such as BAT or VBS to begin the compromise chain. The campaign abused the legitimate AutoIt interpreter to run malicious script commands and evade traditional antivirus detection, with targets including people working on North Korea-related issues and some cryptocurrency traders.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 61f65bd593ea0e52ac0dfdc6bc9cd73a | 2024-07-31 | 2026-03-15 |
| IPv4 | 185.231.154.22 | 2024-07-31 | 2026-01-22 |
| IPv4 | 94.103.87.212 | 2024-07-31 | 2026-01-22 |
| IPv4 | 93.183.93.185 | 2024-07-12 | 2026-01-22 |
| IPv4 | 62.113.118.157 | 2024-07-08 | 2026-01-22 |
| DOMAIN | professionaltutors.net | 2024-07-31 | 2025-11-09 |
| HASH | 87dc4c8f67cffc8a9699328face923e2 | 2024-07-12 | 2024-11-10 |
| DOMAIN | phasechangesolutions.com | 2024-07-12 | 2024-10-30 |
| HASH | 9d6c79c0b395cceb83662aa3f7ed0123 | 2024-05-06 | 2024-10-30 |
| DOMAIN | cammirando.com | 2024-04-12 | 2024-10-30 |
| HASH | 5613ba2032bc1528991b583e17bad59a | 2024-07-31 | 2024-08-22 |
| HASH | 3c81dc763a4f003ba6e33cd5b63068cd | 2024-07-31 | 2024-08-22 |
| HASH | d5809e5f848f228634aa45ffe4a5ece0 | 2024-07-31 | 2024-08-22 |
| HASH | 4f865db4192afb5bbcdeb2e899ca97a4 | 2024-07-31 | 2024-08-22 |
| HASH | 3334d2605c0df26536058f73a43cb074 | 2024-04-12 | 2024-08-22 |
| HASH | 7e4edf11343db68c1dace895e02cafd4 | 2024-07-31 | 2024-07-31 |
| HASH | b098959bc405e7e3148e9897e5b15b8c | 2024-07-31 | 2024-07-31 |
| HASH | 95b8ceebbd6e983914a13c1cd774028a | 2024-07-31 | 2024-07-31 |
| HASH | 01c2ac204e56fe4c0098a2d28b8e304a | 2024-07-31 | 2024-07-31 |
| HASH | ae5e525801ec6066b7faa62e1e666270 | 2024-07-31 | 2024-07-31 |
| HASH | a330b834cc2ec19c3e151f07fb4b877c | 2024-07-31 | 2024-07-31 |
| HASH | a3cb0eb10b9917b5c67758c079a759cf | 2024-07-31 | 2024-07-31 |
| HASH | fc20c9023dd7e21bf32a3507480873df | 2024-07-31 | 2024-07-31 |
| HASH | 16eb2cceb920319eaddd5d7b85483cc4 | 2024-07-31 | 2024-07-31 |
| DOMAIN | bluehost.com | 2024-07-31 | 2024-07-31 |
| DOMAIN | nanocanas.com | 2024-07-31 | 2024-07-31 |
| DOMAIN | believeinsanta.com | 2024-07-31 | 2024-07-31 |
| DOMAIN | google-bidout-jp-d.openx.net | 2024-07-31 | 2024-07-31 |
| DOMAIN | samosol.com | 2024-07-31 | 2024-07-31 |
| DOMAIN | balabushkapoolcues.com | 2024-07-31 | 2024-07-31 |
| DOMAIN | dreamhost.com | 2024-07-31 | 2024-07-31 |
| DOMAIN | search-education.com | 2024-07-31 | 2024-07-31 |
| IPv4 | 162.241.253.27 | 2024-07-31 | 2024-07-31 |
| IPv4 | 162.241.216.224 | 2024-07-31 | 2024-07-31 |
| IPv4 | 5.78.68.117 | 2024-07-31 | 2024-07-31 |
| IPv4 | 5.75.181.118 | 2024-07-31 | 2024-07-31 |
| IPv4 | 5.161.182.109 | 2024-07-31 | 2024-07-31 |
| DOMAIN | executivedaytona.com | 2024-07-12 | 2024-07-31 |