In a concerning development, Check Point Research has uncovered that the North Korean hacking group KONNI is intensifying its efforts to target blockchain developers across Japan, Australia, and India. Utilizing sophisticated AI-generated PowerShell backdoors, the group is employing deceptive tactics to infiltrate systems and compromise sensitive information. The source reports that this alarming trend highlights the increasing risks faced by the blockchain community in these regions.
Attack Strategy Overview
The attack strategy begins with KONNI leveraging Discord to distribute a malicious link, prompting developers to download a ZIP file. This archive is designed to initiate a multistage infection process on the victim's computer, incorporating a Windows shortcut and a seemingly legitimate PDF file. Once executed, the Windows shortcut triggers scripts that launch a PowerShell script in memory, create scheduled tasks, and unpack additional malicious files.
PowerShell Script and Backdoor Establishment
This PowerShell script establishes a permanent backdoor by connecting to servers controlled by the attackers. Notably, it includes unique features related to large language model code development, modular design, and thorough documentation. A comment within the script indicates where to insert a unique project identification UUID, which is crucial for tracking compromised systems.
Data Transmission and Target Shift
Every 13 minutes, the backdoor transmits system information to a remote server, utilizing the UUID to identify the project instance on each infected device. KONNI, which has been operational since at least 2014, has shifted its focus from targeting South Korean governmental and diplomatic entities to the cryptocurrency sector, specifically aiming at blockchain developers who are integral to digital currency infrastructure and code.
Recently, the North Korean hacking group KONNI has escalated its cyber operations by employing AI-generated PowerShell malware to target blockchain developers, as detailed in a prior report. For more information, see read more.
