Distribution of Phishing Email Under the Guise of Personal Data Leak (Konni)
2023-12-11 • Ahnlab •
ASEC reports a Konni phishing campaign that delivered a malicious executable disguised as material about a personal data leak. When run, the malware drops obfuscated JSE scripts, a PowerShell script, and a legitimate decoy document under ProgramData, then creates scheduled-task persistence through the JSE components. The PowerShell backdoor is designed to receive obfuscated XML-format commands from C2, but ASEC could not observe final operator behavior because the C2 was unavailable.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | b58eb8a3797d3a52aba30d91d207b688 | 2023-12-06 | 2024-09-05 |
| DOMAIN | gjdow.atwebpages.com | 2023-12-06 | 2024-09-05 |
| HASH | a93474c3978609c8480b34299bf482b7 | 2023-12-06 | 2023-12-11 |
| HASH | 682b5a3c93e107511fdd2cdb8e50389a | 2023-12-06 | 2023-12-11 |
| HASH | 78ea811850e01544ca961f181030b584 | 2023-12-06 | 2023-12-11 |
| HASH | d634cb7b45217ca4fd7eca5685a64f50 | 2023-12-06 | 2023-12-11 |
| HASH | d06d1c2ec1490710133dea445f33bd19 | 2023-12-06 | 2023-12-11 |
Related Actors
Related Reports
Shares tag: Konni • Shares 7 IOCs • Same author: Ahnlab • Published within a week
Shares tag: Konni • Same author: Ahnlab • Published within a month
2024-01-04 •
80% Match
#Konni
Shares tag: Konni • Published within a month
2023-12-27 •
80% Match
#Konni
Shares tag: Konni • Published within a month
Shares tag: Konni • Published within a week
Shares tag: Konni • Published within a month