Konni APT Uses Compromised KakaoTalk Accounts To Launch Multi-Stage Malware Attacks

The Konni Advanced Persistent Threat (APT) group has started a new malware distribution campaign that uses hacked KakaoTalk PC messenger accounts to spread infections. A recent threat intelligence report from Genians Security Center says that the attackers are using North Korea-themed lures to get in, stay in, and turn current victims into new distribution channels. First Infection and Sneaky Actions The attack starts with a very targeted spear-phishing email that looks like an official notice saying that the person is being hired as a North Korean human rights lecturer.

This social engineering trick is meant to build trust by matching the target's job and interests.

The email has an attached archive that contains a harmful LNK shortcut file that looks like a real document. When a victim clicks on the LNK file, it uses the normal Windows execution flow to secretly start a PowerShell script. Attack Flow in General (Source: genians) The script decodes and opens a fake PDF file to avoid raising suspicion while it silently gets ready for the real attack in the background.

The malware also deletes the original LNK file right after it runs to get rid of any evidence and make it harder for forensic investigators to find out what happened. KakaoTalk Abuse and Lateral Propagation A defining and especially dangerous part of this campaign is that it uses the victim's active KakaoTalk PC messenger session.

After successfully compromising the initial target and securing their foothold, the threat actor gains unauthorized access to the messaging application running on the victim’s computer. The attacker then carefully picks out certain people from the victim's friend list and sends them more harmful files. Sending harmful files through KakaoTalk (Source: genians) This attack flow shows a complicated threat situation that goes beyond just one infection by using account-based propagation.

To protect themselves from this changing threat, businesses need to use a security strategy that goes beyond traditional signature-based detection and focuses on how things are actually done.

The Malicious LNK File's Internal Structure (Source: genians) Some suggested ways to lessen the impact are: Limiting the use of high-risk attachment types, like LNK files, scripts, and executables that are hidden in archive files, especially when there is little business need for them. Making user awareness training stronger so that employees can spot shortcut files that look like real documents and messages that seem suspicious, even if they come from people they know. Using Endpoint Detection and Response (EDR) tools to keep an eye out for strange behaviors like unexpected process creation after LNK execution, strange genians script activity, or strange connections to external networks.

Defenders can effectively detect and block this complex, multi-stage attack before it can spread through trusted messenger networks by using an EDR-centered response framework that supports anomalous behavior correlation.