Full Report
Key Findings: Introduction Check Point Research (CPR) identified an ongoing phishing campaign that we associate with KONNI, a North Korean–linked threat actor active since at least 2014. KONNI is best known for targeting organizations and individuals in South Korea, with a focus on diplomatic channels, international relations, NGOs, academia, and government. The group typically relies […] The post KONNI Adopts AI to Generate PowerShell Backdoors appeared first on Check Point Research.
Analysis Summary
# Threat Actor: KONNI
## Attribution & Identity
* **Attribution:** North Korean–linked threat actor.
* **Active Since:** At least 2014.
* **Known Aliases/Associated Groups:** Explicitly associated with KONNI.
## Activity Summary
CPR identified an ongoing phishing campaign linked to KONNI. This recent operation shows a notable expansion in targeting scope and the adoption of new tooling, specifically leveraging AI to generate components of the malware. The campaign targets software developers and engineering teams, focusing on those with expertise or access to blockchain-related resources and infrastructure.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing via lure content disguised as legitimate project documentation (e.g., architecture, technology stacks).
- **Delivery Mechanism:** The infection chain starts with a Discord-hosted link downloading a ZIP archive.
- **Droppers/Loaders:** Utilizes a weaponized Windows shortcut (LNK) file that launches an embedded, XOR-encoded PowerShell loader.
- **Obfuscation/Encoding:** Embedded files (DOCX lure and CAB archive) within the LNK file are XOR-encoded using a single-byte key.
- **Distraction:** Opens a DOCX lure document (`.DOCX`) on the victim's machine to distract the user during file extraction.
- **Staging:** Extracts a CAB archive containing further payloads.
- **Malware Generation:** Adopting the use of AI to generate a PowerShell backdoor, indicating adoption of AI-enabled tooling by the group.
## Targeting
- **Sectors:** Organizations and teams focused on software development, engineering, and specifically those involved in blockchain/cryptocurrency initiatives.
- **Geography:** Historically focused on **South Korea**. This recent campaign indicates broader targeting across the **APAC region, including Japan, Australia, and India.**
- **Victims:** Organizations and individuals in **diplomatic channels, international relations, NGOs, academia, and government** (historical focus). Recent focus targets developers with access to sensitive assets like infrastructure, API credentials, and crypto holdings.
## Tools & Infrastructure
* **Malware Families Used:** AI-generated PowerShell backdoor.
* **Infrastructure (C2, domains, IPs - defanged):**
* filetrasfer.wuaze[.]com
* goldenftp.rf[.]gd
* plaza.xo[.]je
* gabber.42web[.]io
* humimianserver.kesug[.]com
* drone.ct[.]ws
* 46.4.112[.]56
* 192.144.34[.]77
* 192.144.34[.]40
* 34.203.111[.]164
* 223.16.184[.]105
## Implications
KONNI is diversifying its portfolio beyond traditional espionage targets (government, diplomacy) to include financially motivated targets, specifically those involved in high-value crypto/blockchain infrastructure. The adoption of AI for generating core components like PowerShell backdoors suggests an accelerated development cycle and potentially improved evasion capabilities, aligning with broader trends observed among sophisticated threat actors.
## Mitigations
*(Mitigations were not explicitly detailed in the provided excerpt, but based on TTPs:*
- **Defend against Spear-Phishing:** Implement rigorous security awareness training focusing on unsolicited links (especially from Discord) and lures disguised as technical project documentation.
- **LNK File Security:** Restrict or monitor the execution of LNK files from untrusted archives.
- **PowerShell Monitoring:** Implement strict logging and monitoring policies for PowerShell execution, focusing on obfuscated or single-byte XOR-decoded scripts.
- **File Extraction Scanning:** Ensure endpoint detection and response (EDR) systems actively scan and analyze files extracted from archives (ZIP, CAB).
- **AI/ML Tool Awareness:** Maintain vigilance regarding newly observed malware construction methods, such as AI-generated code payloads.