North Korean APT (Advanced Persistent Threat) group Konni exploits a recently revealed WinRAR vulnerability to launch its first attack on the cryptocurrency sector.
A new attack vector
North Korean APT group Konni has made headlines by exploiting a recently revealed WinRAR vulnerability (CVE-2023-38831) to target the cryptocurrency industry, according to Chinese security firm Chuangyu 404 Lab. This move represents a departure from its goals, primarily in South Korea, and the first case of an APT group exploiting this particular vulnerability for an attack.
In a statement in Seeburg, the group used a malicious payload disguised as a screenshot of a wallet, specifically targeting the cryptocurrency sector. The payload was named “wallet_Screenshot_2023_09_06_Qbao_Network.zip,” alluding to Qbao Network, a smart cryptocurrency wallet service. This deviation from its usual targets suggests that Konni may be diversifying its attack vectors.
Technical and tactical ideas.
The vulnerability in question, CVE-2023-38831, allows the execution of a malicious payload when the victim clicks on a specially crafted HTML file within a compressed file. Additionally, the payload executes a series of commands to determine the system architecture and downloads additional payloads from a remote server.
The malware used by Konni was sophisticated enough to detect the system architecture and adapt its tactics accordingly. She used different User Account Control (UAC) bypass techniques based on system specifications, making her a highly adaptable threat.
Until now, North Korea’s attacks on the cryptocurrency industry were mainly attributed to the Lazarus Group. Konni’s entry into this space indicates a broader strategy by North Korean hackers to attack cryptocurrency exchanges and financial platforms.
This development is particularly concerning given recent dents involving other cryptocurrency platforms such as Stake and CoinEx. The attack also raises questions about the cryptocurrency industry’s readiness to defend against sophisticated threats, especially those that exploit recently disclosed vulnerabilities.
The Konni attack serves as a wake-up call for both the cybersecurity and cryptocurrency communities. With the exploitation of a new vulnerability and a change in target industries, Konni has demonstrated the changing nature of APT threats. Organizations, especially those in the cryptocurrency sector, must be vigilant and proactive in updating their security measures to defend against these advanced and ever-changing threats.
