Konni APT (Advanced Persistent Threat), a hacker group based in North Korea, recently mounted attacks on the crypto industry by exploiting a vulnerability in the popular file archiver WinRAR. This marked the first time that the hacker group moved from traditional targets in South Korea to targets in the cryptocurrency industry.
Crypto journalist Colin Wu took to X (formerly Twitter) earlier today to report the latest attacks by Konni APT:
According to a detailed investigation of Konni APT’s exploits by the Chuangyu 404 Advanced Threat Intelligence Team, the Konni organization resorted to new techniques, tactics, and procedures to target the crypto industry. The report acknowledged that Konni’s decision to target crypto was rare and that the crypto and finance sector was usually targeted by North Korea’s notorious Lazarus Group.
As per the analysis, Konni used a newly discovered WinRAR vulnerability labeled CVE-2023-38831 to execute malicious payloads. It involved a compromised file embedded in an HTML file, which when clicked by the victim, executes the malicious payload. The vulnerability in WinRAR reportedly constructs an identical directory without the knowledge of the victim.
Konni APT’s crypto exploits involved an intelligent encryption wallet called Qbao Network. Its utility as a one-stop platform for crypto services made it a suitable target for the hacker group. Several malicious files circulated by Konni APT contained zip files that showed Qbao Network’s name.
In light of Konni APT’s latest exploits, experts issued a warning for crypto users and urged them to exercise caution. Once executed, the malicious payload has the potential to steal sensitive information as well as crypto assets from the victim.
Earlier this year, cybersecurity firm rewterz issued a threat alert for Konni APT, stating that the hacker group was a high-severity issue. Rewterz identified that Konni APT engaged in information theft and espionage by distributing malicious files via phishing messages or emails.