Konni Group Warns of New Hacking Tactic Combining Fake Emails and KakaoTalk

The North Korea-linked hacking group 'Konni' is deploying a multi-stage malware distribution attack that combines spearphishing emails with KakaoTalk, warranting caution. On the 16th, security firm Genians Security Center analyzed this attack method in its threat intelligence report, detailing the risks of an account-based re-propagation model.

The attack begins with spearphishing disguised as a legitimate business email, such as an 'Announcement of Appointment for North Korean Human Rights Instructor'. The attacker lures the victim into executing a malicious shortcut (LNK) file, disguised as a document icon within an attached zip file, thereby infecting the PC. Subsequently, the attacker uses a technique to gain unauthorized access to the KakaoTalk PC version session installed on the infected PC and steal login information.

The attacker employs a 'trust-based' method, using the stolen information to re-distribute malicious files to the victim's messenger contacts. A key characteristic of this method is that it occurs without any 'overseas connection' indicators, making detection difficult. Genians assessed this as an 'identity-based' attack that inflicts secondary damage on associates through compromised account sessions.

As countermeasures, Genians Security Center recommended the adoption of an anomaly detection system centered on Endpoint Detection and Response (EDR) and the establishment of messenger security guidelines. They also emphasized the need to monitor for abnormal data transmission patterns or session protection status on critical terminals, conduct security training regarding shortcut files, and strengthen 'behavior-based' detection.