- Konni is a North Korean advanced persistent threat group that’s operated for a decade.
- Their hack starts with a Discord message containing a link to a deceptive ZIP archive.
- Researchers note that the virus shows clear signs of being AI-generated.
Cybersecurity researchers have raised the alarm about a sophisticated new malware scheme. North Korea-linked hacking group Konni (also known as Opal Sleet and TA406) is leveraging AI-generated PowerShell malware to directly target blockchain developers and engineers.
Konni is a North Korean advanced persistent threat (APT) group that’s operated for at least a decade. While their targets lie in South Korea, Russia, Ukraine, and Europe regions, Asia-Pacific has also been added to the list..
The group is linked to other DPRK cyber groups, such as APT37 and Kimsuky, and has a track record of stealing money and secrets from banks, financial systems, and tech companies.
How the Hack Works
Experts, including researchers from Check Point, have shared detailed reports explaining how the Konni hack works step-by-step.
The hack starts with a Discord message containing a link. Clicking it downloads a compressed file that looks legitimate, holding both a PDF decoy and a harmful Windows shortcut file.
Related: Hackers Exploit GANA Payment for $3.1 Million on BSC Chain
Opening the shortcut file starts a PowerShell loader that unpacks more files. Among them are a fake DOCX document and a cabinet (CAB) archive holding a PowerShell backdoor, batch scripts, and an executable designed to bypass User Account Control (UAC). This allows the virus to stay installed on the victim’s computer.
Researchers note that the virus shows clear signs of being AI-generated. Its code is built in separate blocks, contains unusually neat comments, and uses strange placeholder text, which sets it apart from typical human-written malware.
The malicious software sets up an automated hourly task, disguised as a OneDrive startup task. This secretly unlocks and launches a PowerShell command in the computer’s memory. After the harmful part of the program runs, it cleans up some of its own files to cover its tracks.
Target on Blockchain Developers
Unlike typical hacks that target random users, this attack is aimed directly at software developers and engineers who build crypto platforms. These individuals often have access to API keys, source code access, and private wallet keys.
If hacked, they could give attackers control over important applications and large amounts of crypto. Researchers have seen this campaign mainly hitting targets in Japan, Australia, and India, showing that the hackers are deliberately going after new regions.
Related: CZ’s Stark Warning: One Click on a Fake Support Link Could Sink a Crypto Exchange
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/north-korean-konni-hackers-deploy-ai-generated-malware-to-target-devs/