ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
Analysis of the KONNI's LINKON Malware
2025.02.14

S2W Threat Intelligence Center TALON has published a report analyzing the LINKON malware associated with the North Korean APT group KONNI. This highly sophisticated threat intelligence report details malware disguised as the Financial Intelligence Unit of the Financial Services Commission.


✅ Report Title:

The North Korea-backed KONNI’s LINKON malware disguised as a Financial Services Commission



✅ Executive Summary:

On January 23, 2025, an LNK malware disguised as the file "Virtual Asset Service Provider Inspection Plan Party Policy Meeting Presentation_FN2" was discovered and analyzed.

- File name: 가상자산사업자 검사계획민당정회의 발표자료_FN2.hwp.lnk (Korean file name)
- MD5: e37c8f6aba686aab3d7ecedbd1d0ef43
- SHA256: 5a8ecafbd5809000334bf5b940a497d0ed750dd11da8a03796f5ce53257cc892

Upon execution, this malicious LNK file leverages PowerShell commands to drop and execute a decoy document along with additional files embedded within the LNK. It has been identified as LINKON malware.

KONNVBS and KONNBAT scripts maintain persistence by registering specific script files in the Windows Task Scheduler or downloading additional files from a hardcoded attacker-controlled server for execution.



📌 What are the specific characteristics of the LINKON malware?

The analyzed LINKON malware impersonates the Financial Intelligence Unit of the Financial Services Commission of South Korea. It is disguised as a document related to the “Anti-Money Laundering Inspection Trustee Council” meeting, which was held on December 20, 2024. Given this, it is presumed that the malware was used against virtual asset-related businesses sometime after December 20, 2024.

Additionally, the malware leverages social engineering tactics to trick users into executing it. Upon execution, it immediately displays a decoy document designed to appear legitimate, concealing the infection process from the user. To further evade detection, all malicious activities and commands are executed with the "hidden" attribute, preventing the victim from noticing any unusual behavior.



✅ Recommended Threat Detection and Mitigation Actions:

The North Korean KONNI group has consistently been observed exploiting themed document files targeting the virtual asset industry to distribute LINKON malware. The continued distribution of similar types of malware calls for caution.

For a more detailed analysis and recommended countermeasures, please refer to the full report via the link below.

🧑‍💻 Report Author: S2W TALON (Updated. 2025-01-24)



👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request.


News Highlights
Weekly Darkweb in February W2
2025.02.12
Previous
News Highlights
Weekly Darkweb in February W3
2025.02.18
Next
List