A recent report by cybersecurity researchers reveals details of recent attacks on South Korean facilities. Particular attention is paid to the activities of the hacking groups APT37 and Konni, allegedly associated with North Korea.
As you know, groups of North Korean origin have long chosen the cryptocurrency sector as one of their targets. So far, however, the main threat has come from Lazarus’ group. The report indicates that Konni has now entered the game, which has recently begun applying new techniques, even against non-South Korean victims.
As part of the new campaign, attackers are exploiting a previously unexploited vulnerability in the WinRAR archiver: CVE-2023-38831. When the victim attempts to open a compressed HTML file, the malicious code is activated, allowing attackers to gain remote access to the system.
No less interesting is the complex mechanism to bypass security protocols. After activation, the malware determines whether the device is running on a 64-bit or 32-bit operating system. The code then communicates with the server and downloads additional instructions encoded in Base64 format. These instructions are converted to an executable file and executed.
The program then checks whether there is a remote session on the computer and what version of the operating system is installed. Depending on the data received, the code chooses one of the UAC (User Account Control) bypass methods to establish elevated privileges for itself.
Attackers employ the strategy of dynamically loading supplementary modules, providing them with the ability to swiftly adjust and update their code. At the end of the attack process, a hidden service called “Remote Database Service Update” is created in the system, which makes it difficult to detect the virus and then analyze the incident.
CyberSec84 | Cybersecurity news. 
Leave a comment