#1259603: Organization of Korean language Konni organization, Operation Blue Sky 'Amadey' Utilization of Russian botnet

Description: Translated - https://translate.google.com/translate?hl=nl&sl=ko&tl=en&u=https%3A%2F%2Fblog.alyac.co.kr%2F2308

On Jan. 02, we released the Konni APT Campaign and the 'Operation Hunter Adonis' report on passwords . Recently, their cyber threatening activities have been detected again.

Translated - https://translate.google.com/translate?hl=nl&sl=ko&tl=en&u=https%3A%2F%2Fblog.alyac.co.kr%2F2308

On Jan. 02, we released the Konni APT Campaign and the 'Operation Hunter Adonis' report on passwords . Recently, their cyber threatening activities have been detected again.

File Name

Requested policy materials .doc (BlueSky)

MD5

0eb6090397c74327cd4d47819f724953

C2 filer1.1apps [.] com


File Name

Gentryon Wallet Resources .doc (BlueSky)

MD5

2bfbf8ce47585aa86b1ab90ff109fd57

C2

filer2.1apps [.] com

The 'Konni' organization, one of the leading APT threat groups in Korean, is still in the veil.

Recently, variants have been discovered in succession, and it is noteworthy that the "BlueSky" account, which was published in Hunter Adonis, is being used equally.
ESRC named this cyber operation as "Operation BlueSky" as the situation of continuous APT attack was caught in one account

The threat begins with a malicious word (DOC) document, which uses attack vectors primarily through spear phishing.

■ Konni returned to the month of April

A malicious document file produced on April 29, 2019 causes the execution of a macro together with a security warning message at the time of execution.

[Figure 1] Guidance message screen to induce macro execution

What is interesting here is that the body of the text has been similarly used in the analysis of "TA505 organization, spreading malicious e-mails disguised as Excel documents" .

It is still unclear whether the two threat organizations are directly or indirectly related, or whether data published on the Internet is used and accidentally overlapped.
If the user clicks the [Use Contents] button, it connects to the C2 server according to the internal VBA command and downloads additional files.

(See details in this link)

The attacker executes a command to download and run another document file from a C2 server that pretends to be a domain of a Korean famous portal site.

ESRC was able to identify other files that were registered internally as a result of directory listing setup during investigation of that server.

[Figure 2] List of other files registered in C2 server
It contains a total of 12 DOC documents, most of which are intended for attack.

Each screen contains mostly password-protected content and financial statements, and was created in the same "BlueSky" account.

[Figure 3] DOC document Running screen collection

Because the files are produced for the same purpose, the description is based on only one representative file.
First, the macro function will attempt to communicate with the secondary C2 server 'alabamaok0515.1apps [.] Com' address.

(See details in this link)


■ Konni returned to the month of May

ESRC was able to identify additional variants created on May 13, and as with April, 'BlueSky' accounts and attack vectors have almost the same flow, and malicious DOCs are based on Korean, codepage 949.
In this attack, however, we obfuscated the C2 URL address inside the macro code in a simple way, and this technique is similar to previous Adonis operations.

(See details in this link)

When a botnet is connected to a session, malicious commands set by the attacker are executed and information from the infected computer may be leaked .

[Figure 10] AMADEY Control Center (CC) Screen

It is noted that the Konni organization utilizes AMADEY botnets via Operation Blue Sky, and ESRC is conducting ongoing research into the attack tools and tactics used by these organizations.

출처: https://translate.googleusercontent.com/translate_c?depth=1&hl=nl&rurl=translate.google.com&sl=ko&sp=nmt4&tl=en&u=https://blog.alyac.co.kr/2308&x
More info: https://blog.alyac.co.kr/2308

Date added May 16, 2019, 12:23 a.m.
Source alyac.co.kr
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • Nokki / Konni Malware (possibly North Korean, tied to REAPER APT Group)
Country Republic of South Korea