Konni APT组织利用核问题、疫情为诱饵针对周边地区的攻击活动分析
Common Information
Type Value
UUID ffebadf8-54f7-4486-832d-58ea4c38d0d1
Fingerprint 6f4163192525ab4f
Analysis status IN_PROGRESS
Considered CTI value 0
Text language
Published July 21, 2020, midnight
Added to db Dec. 20, 2024, 2:52 p.m.
Last updated Dec. 25, 2024, 10:29 a.m.
Headline Konni APT组织利用核问题、疫情为诱饵针对周边地区的攻击活动分析
Title Konni APT组织利用核问题、疫情为诱饵针对周边地区的攻击活动分析
Detected Hints/Tags/Attributes 13/1/53
Source URLs
Attributes
Details Type #Events CTI Value
Details Domain 6
medianewsonline.com
Details Domain 2
authadobe.medianewsonline.com
Details Domain 5
resulview.com
Details Domain 1
ftp.byethost9.com
Details Domain 2
take-me.scienceontheweb.net
Details Domain 2
footballs.sportsontheweb.net
Details Domain 2
kutacity.com
Details Domain 40
blog.alyac.co.kr
Details Domain 297
mp.weixin.qq.com
Details Domain 6752
163.com
Details File 2
2020_v4_eng.doc
Details File 4
relations.doc
Details File 3
кндр.doc
Details File 4
zx.exe
Details File 2
并以加密的url为参数执行zx.exe
Details File 2
执行其中的zx.bat
Details File 2
其中xclientelv.dll
Details File 5
xclientsvc.dll
Details File 55
install.bat
Details File 4
zx.bat
Details File 2
之后以相应的数值以及install.bat
Details File 2
为参数执行xclientelv.dll
Details File 3
xclientelv.dll
Details File 2
则直接启动install.bat
Details File 2
则绕过uac后再执行install.bat
Details File 2
功能为将xclientsvc.dll
Details File 2
以及c2配置信息文件xclientsvc.ini
Details File 2
之后读取同目录下的xclientsvc.ini
Details File 20
up.php
Details File 10
dn.php
Details File 3
并通过hwp组件gbb.exe
Details File 10
vbs.txt
Details File 10
no1.txt
Details md5 2
d41b09aa32633d77a8856dae33b3d7b9
Details md5 2
37e713cf3dfe846aa9cbcc5cd09b92bd
Details md5 2
6973fa7aed812980f0539302d64e618f
Details md5 2
cfa6d0d59624b961edadc04f5dae5777
Details md5 2
e9812302ce7e9ca5d42cfd4406a34494
Details md5 2
f05495a825e932c841f4d7f4e438ce0b
Details md5 2
16b19998f8bdbaecf07b2556fcbd8d68
Details md5 2
478D643AFC47ABEA4ACB6BEA422F14F1
Details md5 2
2F43138AA75FB12AC482B486CBC98569
Details md5 2
A5A2C0AD843A66ACA636CE17066CC417
Details md5 2
a49b2a238ec3da5a89c0faba16d55988
Details md5 2
da6e5db29ec181d66bdb39dac3f7b7d9
Details md5 2
f88720ed70cc3f8482814ff3e3187427
Details IPv4 4
27.255.77.110
Details Url 2
http://resulview.com/5hado/vbs.txt获取后续解密执行
Details Url 2
http://27.255.77.110/xwow
Details Url 4
http://resulview.com/5hado/vbs.txt
Details Url 3
https://ti.qianxin.com/blog/articles/analysis-of-konni-apt-organization-attack-activities-disguised-as-korean-android-chat-application
Details Url 1
https://blog.alyac.co.kr/2543
Details Url 1
https://mp.weixin.qq.com/s/gukd2lnr9le8flug4bffsw