Cisco Talos researchers found that the current version of the malware, otherwise known as KONNI, allows the operator to steal files, keystrokes, perform screenshots and execute arbitrary code on the infected host.
The actor has used an email attachment as the initial infection vector during the last three years in which the various campaigns have been observed. Additional social engineering prompts the target to open a .src file, display a decoy document to the users and execute the malware on the victim's device.
The researchers say the malware has evolved over time by supporting more features, advancing the decoy documents and moving from a single file to a dual file malware. The new version searches for files generated by previous versions, implying that the malware has been used several times against the same targets.
“The RAT has remained under the radar for multiple years. An explanation could be the fact that the campaign was very limited in nature, which does not arouse suspicions,” Talos researchers said in their blog.
In total, four campaigns were found: one in 2014, one in 2016 and two in 2017. In the final two campaigns, the spear-phishing emails included decoy document listing members of official organisations such as UNICEF, the United Nations, and embassies linked to North Korea.
The researchers believe the author has a real interest in North Korea considering most of the campaigns are linked to the country. The latest campaign started a few days ago and is still active.