Hackers targeting North Korea with stealth spy malware attacks since 2014
The attacks targeted government and public organisations linked to North Korea iStock

North Korea has been the target of a long-drawn out cyberespionage campaign by unknown hackers. Security experts said that a spy malware, dubbed "KONNI" has been used since 2014, to launch several stealth malware attacks on the hermit kingdom's various organisations.

The malware has been updated and customised over the years, to use decoy documents with topics of interest to North Korea, in efforts to trick users into clicking on malicious files that act as a malware dropper. Security researchers at Cisco Talos said that the malware comes with keylogger capabilities, which can steal files and take screenshots while remaining under the radar.

Researchers said that North Korea had been targeted in 4 separate campaigns, 1 in 2014, 1 in 2016 and 2 in 2017. The last two campaigns indicate that the targets of the attacks were public organisations, such as United Nations, UNICEF and Embassies linked to North Korea.

Cisco Talos researchers charted the evolution of the KONNI malware in each of the attacks. The most notable aspect of the evolution of the malware was how the operators modified the decoy document with the changing times to ensure that it remained to be of the most interest to the target.

KONNI's evolution

In the 2014 campaign dubbed "Fatal Beauty", the decoy document came in the form of an image of a Myanmar temple. Researchers noted that this version of the malware was not designed to execute code on the infected system. Instead it was designed to be "executed only once and steal data on the infected system."

The 2016 campaign saw the decoy contain content linked to escalating tensions between North Korea and the US, in relation to the reclusive nation's claims that it can wipe out Manhattan with a hydrogen bomb. Researchers said that the decoy document came in English and Russian, titled, "N. Korean hydrogen bomb can wipe out Manhattan: propaganda outlet."

The 2 latest campaigns occurred in April 2017 and saw attackers target government agencies, embassies and public organisations linked to North Korea. This time the attack campaign came with 2 separate documents that included contact information for either embassy officials or members of the UN and UNICEF. The latest version of the KONNI malware features keylogger and screenshot grabbing abilities, in addition to stealing system information, uploading and deleting files, and downloading code from the internet and executing commands.

The identity of the attackers behind the malware attack campaigns remain a mystery. "Attribution is of course always difficult. We can identify malware, but we can't necessarily identify who is behind it, or who they work for," Martin Lee, technical lead at Cisco Talos told IBTimes UK.

"All we can say for certain is that this appears to have been a long term campaign with an interest in Korea, with 3 of the 4 campaigns being linked to North Korea," he added. "The nature of the decoy documents suggests a certain degree of social engineering and targeting of victims. Yet at the same time, the malware does not appear particularly advanced."