Konni hackers target blockchain engineers with AI malware

North Korean hacking group Konni is now targeting blockchain engineers with artificial intelligence-generated malware. According to reports, the hacker group is now deploying the AI-generated PowerShell malware, using it to target developers and engineers in the blockchain industry.

The North Korean hacker group is believed to have been in operation since at least 2014 and is associated with APT37 and Kimusky activity clusters. The group has targeted organizations spread across South Korea, Ukraine, Russia, and several other European countries. According to the threat sample analyzed by CheckPoint researchers, the North Korean group’s latest campaign is targeted towards the Asian Pacific region.

North Korean Konni group deploys AI-generated malware

In the report, the researchers claimed that the malware was submitted by users who found it in Japan, India, and Australia. The attack begins with the victim receiving a Discord link that delivers a ZIP archive containing a PDF lure and a malicious LNK shortcut file. The LNK runs an embedded PowerShell loader that extracts a DOCX document and a CAB archive that contains a PowerShell backdoor, two batch files, and a UAC bypass executable.

After the shortcut file is launched, the DOCX opens and executes a batch file included in the cabinet file. The lure DOCX document shows that the hacker wants to compromise the development environment, which could provide them with access to sensitive assets, including infrastructure, API credentials, wallet access, and finally digital asset holdings. The first batch file creates a staging directory for the backdoor and the second batch file.

In addition, it also creates an hourly scheduled task that mimics the startup task of OneDrive. The task reads an XOR-encrypted PowerShell script from disk and decrypts it for in-memory execution. After completing all these steps, it then deletes itself to wipe all the signs of an infection. The PowerShell backdoor heavily masks its origin using arithmetic-based string encoding, runtime string reconstruction, and the execution of the final logic using “Invoked-Expression.”

According to the researchers, the PowerShell malware indicates the presence of an AI-assisted development rather than traditionally authored malware. The evidence showing this includes the clear and structured documentation at the top of the script, which is very unusual for malware development. In addition, it has a clean and modular layout, and the presence of a “# <– your permanent project UUID” comment in the file. CheckPoint noted that this phrasing shows signs of an LLM-generated code by the North Korean hackers.

CheckPoint researchers give details on the malware

The researchers explained that the phrasing also shows that the model instructs a human user on how to customize the placeholder value. They said such comments are commonly seen in AI-generated scripts and tutorials. Before execution, the malware performs a hardware, software, and user activity check to ensure that it is not running in analysis environments. Once that is determined, it then generates a unique host ID. After that, it follows a specified path of action.

Once the backdoor is fully activated and running on the infected device, the malware contacts the command-and-control (C2) server periodically to send host metadata and polls the server at random intervals. If the C2 contains a PowerShell code, it turns into a script block and carries out its activities using background jobs. CheckPoint noted that these attacks can be attributed to the North Korean Konni threat actor based on the earlier launcher format and lure name.

In addition, the researchers claimed that aside from having the same script name overlap, there are other common elements in the execution chain structure with earlier attacks. The researchers have also published indicators of compromise associated with this recent campaign to help defenders recognize when they have been attacked by the North Korean Konni campaign so they can protect their assets.

The smartest crypto minds already read our newsletter. Want in? Join them.