North Korean APT (Advanced Persistent Threat) group Konni exploits a recently disclosed WinRAR vulnerability to launch its first attack on the cryptocurrency sector.

A new vector of attack

North Korean APT group Konni has made headlines by exploiting a recently disclosed WinRAR vulnerability (CVE-2023-38831) to target the cryptocurrency industry, according to a Chinese security firm Chuangyu 404 Lab.  This move represents a deviation from their targets, primarily in South Korea, and the first instance of an APT group leveraging this particular vulnerability for an attack. 

In a statement on Seeburg, the group used a malicious payload disguised as a wallet screenshot, specifically targeting the cryptocurrency sector. The payload was named “wallet_Screenshot_2023_09_06_Qbao_Network.zip,” hinting at Qbao Network, a smart cryptocurrency wallet service. This deviation from their usual targets suggests that Konni may be diversifying its attack vectors.

Technical insights and tactics

The vulnerability in question, CVE-2023-38831, allows for the execution of a malicious payload when the victim clicks a specially crafted HTML file within a compressed archive. Also, the payload then runs a series of commands to determine the system architecture and downloads additional payloads from a remote server.

The malware employed by Konni was sophisticated enough to detect the system’s architecture and adapt its tactics accordingly. It used different User Account Control (UAC) bypass techniques based on the system’s specifications, making it a highly adaptable threat.

Until now, North Korean attacks on the cryptocurrency industry were primarily attributed to the Lazarus Group. The entry of Konni into this space indicates a broader strategy by North Korean hackers to target cryptocurrency exchanges and financial platforms. 

This development is particularly concerning given recent incidents involving other cryptocurrency platforms like Stake and CoinEx. The attack also raises questions about the preparedness of the cryptocurrency industry to fend off sophisticated threats, especially those that exploit newly disclosed vulnerabilities.

The attack by Konni serves as a wake-up call for both the cybersecurity and cryptocurrency communities. With the exploitation of a new vulnerability and a shift in target industries, Konni has demonstrated the evolving nature of APT threats. Organizations, especially those in the cryptocurrency sector, need to be vigilant and proactive in updating their security measures to defend against these advanced and ever-changing threats.

North Korean APT (Advanced Persistent Threat) group Konni exploits a recently disclosed WinRAR vulnerability to launch its first attack on the cryptocurrency sector.

A new vector of attack

North Korean APT group Konni has made headlines by exploiting a recently disclosed WinRAR vulnerability (CVE-2023-38831) to target the cryptocurrency industry, according to a Chinese security firm Chuangyu 404 Lab.  This move represents a deviation from their targets, primarily in South Korea, and the first instance of an APT group leveraging this particular vulnerability for an attack. 

In a statement on Seeburg, the group used a malicious payload disguised as a wallet screenshot, specifically targeting the cryptocurrency sector. The payload was named “wallet_Screenshot_2023_09_06_Qbao_Network.zip,” hinting at Qbao Network, a smart cryptocurrency wallet service. This deviation from their usual targets suggests that Konni may be diversifying its attack vectors.

Technical insights and tactics

The vulnerability in question, CVE-2023-38831, allows for the execution of a malicious payload when the victim clicks a specially crafted HTML file within a compressed archive. Also, the payload then runs a series of commands to determine the system architecture and downloads additional payloads from a remote server.

The malware employed by Konni was sophisticated enough to detect the system’s architecture and adapt its tactics accordingly. It used different User Account Control (UAC) bypass techniques based on the system’s specifications, making it a highly adaptable threat.

Until now, North Korean attacks on the cryptocurrency industry were primarily attributed to the Lazarus Group. The entry of Konni into this space indicates a broader strategy by North Korean hackers to target cryptocurrency exchanges and financial platforms. 

This development is particularly concerning given recent incidents involving other cryptocurrency platforms like Stake and CoinEx. The attack also raises questions about the preparedness of the cryptocurrency industry to fend off sophisticated threats, especially those that exploit newly disclosed vulnerabilities.

The attack by Konni serves as a wake-up call for both the cybersecurity and cryptocurrency communities. With the exploitation of a new vulnerability and a shift in target industries, Konni has demonstrated the evolving nature of APT threats. Organizations, especially those in the cryptocurrency sector, need to be vigilant and proactive in updating their security measures to defend against these advanced and ever-changing threats.