{ "id": "9c0c9633-7866-4064-b29a-f4db21204ca8", "created_at": "2026-04-06T01:32:08.034293Z", "updated_at": "2026-04-10T03:37:40.785719Z", "deleted_at": null, "sha1_hash": "ed85e7a56e1bb0e078c273ce457e859ea18f506d", "title": "Konni APT 组织以朝鲜疫情物资话题为诱饵的攻击活动分析-安全KER - 安全资讯平台", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2053186, "plain_text": "Konni APT 组织以朝鲜疫情物资话题为诱饵的攻击活动分析-安全\r\nKER - 安全资讯平台\r\nArchived: 2026-04-06 01:06:05 UTC\r\n概述\r\nKonni APT 组织是朝鲜半岛地区最具代表性的 APT 组织之一,自 2014 年以来一直持续活动,据悉其背后\r\n由朝鲜政府提供支持,该组织经常使用鱼叉式网络钓鱼的攻击手法,经常使用与朝鲜相关的内容或当前\r\n社会热点事件来进行攻击活动,该组织的主要目标为韩国政治组织,以及日本、越南、俄罗斯、中国等\r\n地区。\r\n微步情报局近期通过威胁狩猎系统监测到 Konni APT 组织最新攻击活动,经过分析有如下发现:\r\n1. 攻击者以“朝鲜疫情物资”话题相关文章作为诱饵文档进行攻击活动,诱饵文档延续了该组织以往的\r\n攻击手法,将正文颜色设置为难以阅读的颜色以诱导用户启用宏。\r\n2. 在文档携带的恶意宏中,从失陷的服务器中下载后门模块并执行。\r\n3. 后门模块为 Amadey 家族木马,攻击者可利用该后门模块进行下一步恶意模块的分发,该组织经常\r\n使用此家族木马进行攻击活动。\r\n4. 根据样本关联信息显示,本次攻击活动手法与以往安全机构披露的“隐士”、“BlueSky” 等攻击活动\r\n手法类似,另外还与具有相同背景的半岛地区 APT 组织 Kimsuky 有诸多关联之处。\r\n5. 微步在线通过对相关样本、IP 和域名的溯源分析,共提取 31 条相关 IOC,可用于威胁情报检测。\r\n微步在线威胁感知平台 TDP、威胁情报管理平台 TIP、威胁情报云 API、互联网安全接入 OneDNS\r\n等均已支持对此次攻击事件和团伙的检测。\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 1 of 15\n\n详情\r\n本次攻击活动依然采用 Konni APT 组织最常用的攻击方式,投递的诱饵文件具有一定的诱惑性,攻击者\r\n引用 NKNews 近期发表的朝鲜 COVID-19 话题相关文章作为诱饵文档,将正文文字颜色设置为难以阅读\r\n的颜色,只有启用宏之后才能修改为容易阅读的颜色,原文链接:\r\nhttps://www.nknews.org/2020/10/pyongyang-stores-low-on-foreign-goods-amid-north-korean-covid-19-\r\nparanoia/。\r\n文件名称 Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia (1).doc\r\nSHA256 9891b3d68ffbdb4a4bd0e7e49ba7b1e6d30ffb35935357551c312af5ae3a4f1e\r\n创建时间 2020/11/27 06:28\r\n图1. doc诱饵文档启用宏前后\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 2 of 15\n\n图2. 样本执行流程图\r\n样本分析\r\n在 doc 文档携带的恶意宏中,首先将正文颜色修改为黑色以迷惑用户,之后从失陷的服务器\r\n(https://rabadaun.com/wordpress/wp-content/themes/TEMP.so)下载文件数据保存到主机 Templates 目录下\r\nspolsve.exe 并执行。\r\n图3. 文档中携带的恶意宏\r\n下载的文件为木马 Loader 模块,样本信息如下:\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 3 of 15\n\n文件名 TEMP.so、spolsve.exe、tlworker.exe\r\n文件大小 290816 字节 (284.00 KB)\r\nMD5 f160c057fded2c01bfdb65bb7aa9dfcc\r\nSHA1 1e14de870b1c4b09cbf81206562a254c27178d85\r\nSHA256 efc139dc0e280a374065dc59c55a45b5146f091a85a3abd6f0caf1a9a2f8b060\r\n编译时间戳 2016/12/06 11:35:32\r\nLoader 模块执行后,先通过累加一个比较大的数值 0xBAADBEEF,来制造一个比较大的延时效果,之后\r\n将 EnumChildWindows 的回调函数进行动态解密并执行,这在一定程度上干扰了静态分析。\r\n图4. 调用EnumChildWindows反汇编代码片段\r\n之后找到 .pnuvq 区段数据,使用密钥“nfnljhbnntphxhxthxdpjdtdtjlppltxvrrzbbrlbvfvrnpp ”进行解密。\r\n图5. Loader模块的PE区段表\r\n解密后的数据为后门 PE 模块,紧接着再次创建一份自身进程,将后门模块注入执行。\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 4 of 15\n\n图6. 后门模块PE头数据\r\nBackdoor模块\r\n文件大小 68608 字节 (67.00 KB)\r\nMD5 f108a4d064dd05c0a097f517ec738b1a\r\nSHA1 f197a7be7fdb286bc9673a57b54994c02a7af8d6\r\nSHA256 d1baefd0bdc7f3b0369c5b7126c3b98469a518cf4db788fad1d243d8661a17b9\r\n编译时间戳 2020/11/19 17:00:55\r\n后门模块中的字符串均以加密形式存储,使用密\r\n钥”a7963b909152f8ebc3ec69b1dee2b255a9678a5b7b827e8c75bd9b0″动态解密。\r\n图7. 字符串解密函数反汇编代码片段\r\n该模块执行后,首先检查常见的杀软文件是否存在,用以检查主机上存在的杀软信息。\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 5 of 15\n\n图8. 检查主机杀软信息\r\n再检查当前运行目录是否是 C:\\ProgramData\\a7963\\TlWorker.exe,如果不是,则自我复制到该目录。\r\n图9. 后门模块的自我复制\r\n并调用 cmd 设置注册表开机启动项以在主机上建立持久化机制。\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 6 of 15\n\n图10. 设置开机启动项\r\n之后解密出 C2 地址。\r\n图11. 解密C2服务器地址\r\n将硬盘序列号、木马版本、是否为管理员、系统版本、杀软信息、主机名、用户名作为上线数据包以\r\nHTTP 协议 POST 方法发送至 C2 服务器(http:// 186.122.150.107/cc/index.php)。\r\n图12. 向C2服务器上传的主机信息数据包\r\n然后接受 C2 服务器返回数据,从中取出服务器所下发的下载链接,继续下载其他恶意模块,每隔 60 秒\r\n与服务器通信 1 次。截至分析时,服务器暂未下发有效指令。\r\n图13. 响应C2服务器远程指令\r\n该 C2 服务器部署了 Amadey 家族木马服务端用以对目标进行控制。\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 7 of 15\n\n图14. C2服务器上所部署的Amadey木马服务端\r\n在上线列表中发现已经有用户被感染,根据 IP 判断包括 1 例韩国受害者,这符合该组织的攻击目标范\r\n围,攻击者可随时设置任务,下发给目标以进行下步恶意模块的分发。\r\n图15. Amadey木马服务端所显示的感染列表\r\n关联分析\r\n在关联分析工作中,另外发现一个以“俄罗斯专家介绍”为主题的诱饵文档。\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 8 of 15\n\n图16. 以“俄罗斯专家介绍”为主题的诱饵文档\r\n在其恶意宏中同样从失陷的网站服务器下载恶意模块执行(http://fd-com.fr/wp-content/themes/consultingservices/upload/tmp.txt),虽然目前已经无法正常下载,但根据关联分析信息,发\r\n现之后的恶意流程与上面样本一致,同样使用 Amadey 木马在主机建立持久化机制,并从 C2 服务器\r\n(http://108.62.118.185/cc/index.php)获取下载链接继续下一步恶意行为。\r\n图17. 恶意宏代码中的失陷服务器\r\n在本次攻击活动中,攻击者依然延续了以往的攻击手法,将诱饵文档颜色设置为不可读颜色诱导用户启\r\n用宏,从攻击手法多维度信息来看,与以往攻击活动手法基本一致,例如使用基本一致的解密算法。\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 9 of 15\n\n图18. 一致的解密算法\r\n同样使用 Amadey 家族木马套件。\r\n图19. 一致的Amadey木马服务端\r\n在微步在线追踪溯源系统中检索攻击者使用的 C2 服务器的关联信息,发现历史解析域名基本都带有一定\r\n的迷惑性,推测攻击者用来进行钓鱼攻击,这符合 Konni 以往的攻击手法。\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 10 of 15\n\n图20. 微步在线追踪溯源系统关联信息\r\n与 Kimsuky APT 组织的关联性\r\n在 Kimsuky 组织最近的一起攻击活动中,其使用了“世界卫生大会”相关内容作为诱饵文档\r\n(57b59b770f313b0a09b651bfba0c95cdba482d4a41fa2e95593674dd5cd83c5b),同样将正文颜色设置为难\r\n以阅读的颜色,且攻击者编辑文档环境为朝鲜语。\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 11 of 15\n\n图21. 以“世界卫生大会”为主题的诱饵文档\r\nKimsuky 组织在以往攻击活动中经常使用带有恶意宏的文档进行攻击,在恶意宏中从 C2 服务器拉取下阶\r\n段脚本代码执行,本次攻击活动依然使用同样的攻击手法,另外该组织以往还经常使用包含“.php?op={参\r\n数值}”的 URL,其中参数值代表不同阶段的行为,在此次攻击活动中就使用到以下 URL:\r\n1. http://documentserver.site/dark/index.php?op=5\r\n2. http://documentserver.site/dark/index.php?op=7\r\n图22. Kimsuky组织使用的URL示例图\r\n而通过分析 Konni 以往所使用的 Amadey 家族攻击样本,发现有攻击样本\r\n(544aaf0804060598138f2db809c31bb651dd8f4fce2e64b49f7db051fc54a764)曾使用过 C2 服务器\r\nhttp://securelevel.site/pppp/index.php,经过对比,与 Kimsuky 所使用的 C2 服务器 Whois 注册信息完全一\r\n致。\r\n注册者 aoler jack\r\n邮箱 poole.sion2015@yandex.com\r\n电话 +82.12035386476\r\n图23. Kimsuky和Konni两者相同的Whois注册信息\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 12 of 15\n\n由此我们发现,Konni 组织与具有相同朝鲜半岛背景的 Kimsuky 组织有一定程度的资产重叠,从攻击目标\r\n与攻击手法来看也有不同程度的技术重叠,依靠现有的一些证据,可以合理地怀疑他们可能存在某种意\r\n义上的关联性,当然仅凭有限的内容来判定他们之间的关联并不容易,有必要继续跟踪观察他们之间的\r\n关系,通过大量的恶意文件样本和各种分析指标来获取更明确的答案。\r\n结论\r\nKonni APT 组织善于使用朝鲜相关热点话题进行攻击活动,且极具针对性,本次攻击活动中依然使用诱饵\r\n文档+Amadey 家族木马套件的攻击方式,与相同背景的半岛地区 APT 组织 Kimsuky 组织或有关联,基于\r\n该组织所在地区及目标的地缘政治敏感性,也可能会给我国带来一定程度的负面影响,微步在线情报局\r\n会对该组织攻击活动持续进行跟踪,及时发现安全威胁并快速响应处置。\r\n附录 – IOC\r\nC\u0026C\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 13 of 15\n\nCompromised Domain\r\nHash\r\n1. 9891b3d68ffbdb4a4bd0e7e49ba7b1e6d30ffb35935357551c312af5ae3a4f1e\r\n2. efc139dc0e280a374065dc59c55a45b5146f091a85a3abd6f0caf1a9a2f8b060\r\n3. d1baefd0bdc7f3b0369c5b7126c3b98469a518cf4db788fad1d243d8661a17b9\r\n4. 5bd48c2f61541124920d71e674ce3fd5927702f69c2baacc5a509debe3a893c8\r\n5. 9aab5a536b95963c4e3c990ab40bdeb25c850e2a862ea528b81d470d6acdadb1\r\nEmail\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 14 of 15\n\n1. glorify0717@gmail.com\r\n2. mypretty0914@gmail.com\r\n3. norelyeverland@hanmail.net\r\n4. poole.sion2015@yandex.com\r\n参考链接\r\n1. https://s.threatbook.cn/report/file/efc139dc0e280a374065dc59c55a45b5146f091a85a3abd6f0caf1a9a2f8b060/?\r\nsign=history\u0026env=win7_sp1_enx86_office2013\r\n2. https://s.tencent.com/research/report/727.html\r\n3. https://blog.alyac.co.kr/2308\r\n4. https://blog.alyac.co.kr/3390\r\n关于微步情报局\r\n微步情报局,即微步在线研究响应团队,负责微步在线安全分析与安全服务业务,主要研究内容包括威\r\n胁情报自动化研发、高级 APT 组织\u0026黑产研究与追踪、恶意代码与自动化分析技术、重大事件应急响应\r\n等。\r\nSource: https://www.anquanke.com/post/id/230116\r\nhttps://www.anquanke.com/post/id/230116\r\nPage 15 of 15", "extraction_quality": 1, "language": "ZH", "sources": [ "Malpedia" ], "references": [ "https://www.anquanke.com/post/id/230116" ], "report_names": [ "230116" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439128, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed85e7a56e1bb0e078c273ce457e859ea18f506d.pdf", "text": "https://archive.orkl.eu/ed85e7a56e1bb0e078c273ce457e859ea18f506d.txt", "img": "https://archive.orkl.eu/ed85e7a56e1bb0e078c273ce457e859ea18f506d.jpg" } }