Security researchers have discovered a number of malware attacks believed to be targeting North Korea, potentially as part of a retribution campaign for the nation’s recent tests of advanced weapons, Cyberscoop reported.
Security researchers have identified two sophisticated malware campaigns directed at entities in North Korea, both of which appear to have launched around or after the isolated nation’s successful test launch of an intercontinental ballistic missile (ICBM) in late June.
Cisco-owned cybersecurity firm Talos Intelligence first spotted a campaign using Konni malware directed at North Korea on July 6, just days after a missile test launched by North Korea on July 3. At the time, Talos said the campaign appeared “directly related to the launch and the ensuing discussion of North Korean missile technology.”
On Tuesday, researchers at security firm Cylance, issued a similar report on Konni, building upon Talos’ findings and tying the recent spike in the malware to a campaign directed at the secluded dictatorship.
Konni is a remote access trojan that has been used relatively sparingly, appearing in just five campaigns in the last three years—three of which were launch this year.
The most recent campaign, launched on July 4, uses a Word document with text of a news article from Korea’s Yonhap News Agency touting the North Korea’s recent advances in missile technology. The document is laced with a malicious executable file that infiltrates the machine if the file is opened. It can then begin communicating with a command and control server to carry out malicious actions against the infected system.
In addition to the Konni attack, security firm BitDefender also identified a new campaign using a modified version of DarkHotel malware known as Inexsmar. While DarkHotel was known primarily for targeting business executives and high profile visitors at hotels by exploiting holes in Wi-Fi infrastructure at hospitality services, Inexsmar directs similar attacks at political figures.
An Inexsmar campaign launched in July appeared to make significant strides in the standard attack carried out by DarkHotel, including using social engineering techniques to deliver the malicious payload to a target rather than the typical zero-day exploit approach the malware typically utilizes.
North Korean targets were among those in the crosshairs of the modified DarkHotel attack. The Inexsmar campaign included a malware dropper named “Pyongyang Directory Group email SEPTEMBER 2016 RC_OFFICE_Coordination_Associatewxcod.scr”—a similar title to the document used in the Konni campaign, which was titled “Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr.”
The similarities don’t stop there; both files include a similar list of names and contact information for contacts at the United Nations, UNICEF and North Korean embassies. The documents also have a near-identical presentation.
Beyond just being a response to North Korea’s increased efforts to develop long range ballistic weapons, the malware attacks also come at a time that the nation has turned its own hacking efforts toward more financially motivated campaigns.