Konni组织以邮件安全检查手册为诱饵的窃密行动分析
2023-12-18 • Qianxin • Analysis of Konni organization's secret theft operation using email security check manual as bait •
QiAnXin analyzed Konni activity against South Korea that used oversized malicious LNK files with Korean language lure documents, including an email security check manual for Naver, Daum, and Gmail. The LNK files dropped a decoy document and a VBS script, then used GET requests to compromised website infrastructure such as shaira1885.com and messengerin.com to fetch follow on scripts. The scripts established scheduled task persistence, collected directory listings, public IP, process, system, and registry data, and exfiltrated files back to the C2 with host alias and filename fields. QiAnXin assesses the samples are more consistent with Konni than APT37, while noting shared LNK tradecraft with APT37 and Kimsuky.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | http://serviceset.net/upload.php | 2023-12-18 | 2024-08-22 |
| DOMAIN | serviceset.net | 2023-12-18 | 2024-08-22 |
| DOMAIN | downwarding.com | 2023-11-24 | 2024-08-22 |
| DOMAIN | bgfile.com | 2023-11-24 | 2024-08-22 |
| HASH | 6f5e4b45ca0d8c1128d27a15421eea38 | 2023-09-15 | 2024-08-22 |
| URL | http://ttzcloud.com/upload.php | 2023-09-15 | 2024-08-22 |
| DOMAIN | ttzcloud.com | 2023-09-15 | 2024-08-22 |
| HASH | fb5aec165279015f17b29f9f2c730976 | 2023-11-09 | 2024-04-17 |
| HASH | 6452b948928f2d799fd9b5d7aa721d10 | 2023-12-18 | 2023-12-18 |
| HASH | 41c17b6b527540d49db81976ef5576e9 | 2023-12-18 | 2023-12-18 |
| HASH | d2ed41719424bb024535afa1b2d17f3a | 2023-12-18 | 2023-12-18 |
| URL | https://shaira1885.com/wp-admin… | 2023-12-18 | 2023-12-18 |
| URL | https://shaira1885.com/wp-admin… | 2023-12-18 | 2023-12-18 |
| URL | https://messengerin.com/layout/… | 2023-12-18 | 2023-12-18 |
| URL | https://bgfile.com/v2/read/get.… | 2023-12-18 | 2023-12-18 |
| URL | http://cldservice.net/list.php?… | 2023-12-18 | 2023-12-18 |
| URL | https://downwarding.com/v2/read… | 2023-12-18 | 2023-12-18 |
| URL | http://ttzcloud.com/list.php?f=… | 2023-12-18 | 2023-12-18 |
| URL | http://serviceset.net/list.php?… | 2023-12-18 | 2023-12-18 |
| URL | https://file.drives001.com/read… | 2023-12-18 | 2023-12-18 |
| DOMAIN | shaira1885.com | 2023-12-18 | 2023-12-18 |
| DOMAIN | messengerin.com | 2023-12-18 | 2023-12-18 |
| URL | http://cldservice.net/upload.php | 2023-11-24 | 2023-12-18 |
| DOMAIN | file.drives001.com | 2023-11-24 | 2023-12-18 |
| DOMAIN | cldservice.net | 2023-11-24 | 2023-12-18 |
| HASH | 015ba89bce15c66baebc5fd94d03d19e | 2023-11-20 | 2023-12-18 |
| URL | http://ebpp.airport.kr/mail.do | 2023-11-20 | 2023-12-18 |
| DOMAIN | ebpp.airport.kr | 2023-11-20 | 2023-12-18 |
| HASH | 433a2a49a84545f23a038f3584f28b4a | 2023-06-09 | 2023-12-18 |
| DOMAIN | resolver1.opendns.com | 2023-05-05 | 2023-12-18 |