North Korean-linked group Konni used spear-phishing to install remote access malware on Windows hosts and then abused a compromised user’s KakaoTalk desktop to send malicious ZIP files to selected contacts, maintaining long-term persistence and stealing internal documents.
KEY FACTS
- Incident Spear-phishing with a ZIP attachment containing a malicious LNK
- Threat actor North Korean-linked group Konni
- Malware AutoIt remote access trojan EndRAT plus additional RAT artifacts
- Propagation Malicious ZIP files sent via compromised KakaoTalk desktop to selected contacts
A technical analysis by Genians Security Center said initial access was achieved through a spear-phishing email that delivered a ZIP attachment containing a Windows shortcut file. When executed the LNK fetched a next-stage payload established persistence through scheduled tasks and displayed a PDF decoy while installing a remote access trojan.
The downloaded malware is an AutoIt RAT tracked as EndRAT or EndClient RAT that provides file management remote shell access data transfer and persistence capabilities.
The attacker abused the victim’s KakaoTalk desktop application to send ZIP files disguised as North Korea related materials to certain contacts thereby using compromised accounts as a distribution vector.
Analysis of the infected host also revealed AutoIt scripts associated with additional RAT families including RftRAT and Remcos suggesting multiple tools were deployed to improve resilience.
WHY IT MATTERS
Use of trusted messaging accounts to push malware increases the risk of rapid targeted propagation and complicates detection and response for affected organizations.