The domain ka174f.scienceontheweb.net has been judged to be malicious. This conclusion is drawn from its association with Dynamic Domain Name System (DDNS) technology and its use as a Command and Control (C2) server. The domain is linked with the KONNI malware family, which is known to be associated with cyber-espionage campaigns conducted by Advanced Persistent Threat (APT) groups. These groups often leverage DDNS for its low cost and flexibility, allowing them to dynamically update their C2 server IP addresses and avoid detection. The use of DDNS in conjunction with C2 activities is a strong indicator of the domain's malicious nature.
Whois Record: The domain ka174f.scienceontheweb.net is registered with ENOM, INC. and has been active since May 11, 2007. The registration details are redacted for privacy, which is not uncommon but does not provide any specific leads towards legitimate use.
In-depth Analysis: The domain employs DDNS technology, which is frequently utilized by hackers for remote control operations. This technology allows the domain to alter its IP address dynamically, making it a suitable choice for hosting C2 servers.
Mentioned Articles: The domain has been identified in several threat intelligence reports as being part of the KONNI malware infrastructure, which is linked to APT groups engaged in cyber-espionage activities against various targets. The presence of this domain in such reports, along with its usage of DDNS and C2 functionalities, strongly supports its classification as malicious 123.
The Konni organization first became active in 2014 and was exposed by the Cisco security team in 2017. It mainly launched attacks against Korean financial companies.
2024-02-22, Russian Government Software Backdoored to Deploy Konni RAT An installer for a tool likely used by the Russian Consular Department of the Ministry of Foreign Affairs (MID) has been backdoored to deliver a remote access trojan called Konni RAT (aka UpDog). The findings come from German cybersecurity company DCSO, which linked the activity as originating from the Democratic People's Republic of Korea (DPRK)-nexus actors targeting Russia. The Konni (aka Opal Sleet, Osmium, or TA406) activity cluster has an established pattern of deploying Konni RAT against Russian entities, with the threat actor also linked to attacks directed against MID at least since October 2021. In November 2023, Fortinet FortiGuard Labs revealed the use of Russian-language Microsoft Word documents to deliver malware capable of harvesting sensitive information from compromised Windows hosts. DCSO said the packaging of Konni RAT within software installers is a technique previously adopted by the group in October 2023, when it was found to leverage a backdoored Russian tax filing software named Spravki BK to distribute the trojan. "In this instance, the backdoored installer appears to be for a tool named 'Statistika KZU' (Cтатистика КЗУ)," the Berlin-based company said. "On the basis of install paths, file metadata, and user manuals bundled into the installer, [...] the software is intended for internal use within the Russian Ministry of Foreign Affairs (MID), specifically for the relaying of annual report files from overseas consular posts (КЗУ — консульские загранучреждения) to the Consular Department of the MID via a secure channel." The trojanized installer is an MSI file that, when launched, initiates the infection sequence to establish contact with a command-and-control (C2) server to await further instructions. The remote access trojan, which comes with capabilities for file transfers and command execution, is believed to have been put to use as early as 2014, and has also been utilized by other North Korean threat actors known as Kimsuky and ScarCruft (aka APT37). It's currently not clear how the threat actors managed to get a copy of the installer, given that it's not publicly obtainable. But it's suspected that the long history of espionage operations targeting Russia may have helped them identify prospective tools for subsequent attacks. While North Korea's targeting of Russia is not new, the development comes amid growing geopolitical proximity between the two countries. State media from the Hermit Kingdom reported this week that Russian President Vladimir Putin has given leader Kim Jong Un a luxury Russian-made car. "To some extent, this should not come as a surprise; increasing strategic proximity would not be expected to fully overwrite extant DPRK collection needs, with an ongoing need on the part of the DPRK to be able to assess and verify Russian foreign policy planning and objectives," DCSO said. 5
2023-11-29, Konni Group Attack Detection: North Korean Hackers Leverage Russian-Language Weaponized Word Document to Spread RAT Malware Konni Group Attack Detection: North Korean Hackers Leverage Russian-Language Weaponized Word Document to Spread RAT Malware. Possible evasion of detection measures was noted. 2
2023-11-23, Konni Group Using Russian-Language Malicious Word Docs in Phishing Attacks A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices," Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published this week. The cyber espionage group is notable for its targeting of Russia, with the modus operandi involving the use of spear-phishing emails and malicious documents as entry points for their attacks. Recent attacks documented by Knowsec and ThreatMon have leveraged the WinRAR vulnerability (CVE-2023-38831) as well as obfuscated Visual Basic scripts to drop Konni RAT and a Windows Batch script capable of collecting data from the infected machines. "Konni's primary objectives include data exfiltration and conducting espionage activities," ThreatMon said. "To achieve these goals, the group employs a wide array of malware and tools, frequently adapting their tactics to avoid detection and attribution." The latest attack sequence observed by Fortinet involves a macro-laced Word document that, when enabled, displays an article in Russian that's purportedly about "Western Assessments of the Progress of the Special Military Operation." The Visual Basic for Application (VBA) macro subsequently proceeds to launch an interim Batch script that performs system checks, User Account Control (UAC) bypass, and ultimately paves the way for the deployment of a DLL file that incorporates information gathering and exfiltration capabilities. "The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands," Lin said. Konni is far from the only North Korean threat actor to single out Russia. Evidence gathered by Kaspersky, Microsoft, and SentinelOne shows that the adversarial collective referred to as ScarCruft (aka APT37) has also targeted trading companies and missile engineering firms located in the country. The disclosure also arrives less than two weeks after Solar, the cybersecurity arm of Russian state-owned telecom company Rostelecom, revealed that threat actors from Asia – primarily those from China and North Korea – accounted for a majority of attacks against the country's infrastructure. "The North Korean Lazarus group is also very active on the territory of the Russian Federation," the company said. "As of early November, Lazarus hackers still have access to a number of Russian systems." 3
2023-11-21, Konni Group | Call of Duty Wiki - Fandom On November 21st, 2023, Konni contractors were spotted in London by the MI6, where they were trying to acquire a flash drive from a well-known hacker. 4
2023-12-06, [TLP:WHITE] win_konni_auto (20230808 | Detects win.konni.) rule win_konni_auto Rule win_konni_auto detects the Konni malware. 1
The provided Whois record details a domain registered with ENOM, INC., having its initial registration date on May 11, 2007, and set to expire on May 11, 2025. The most recent update to the registration information was made on April 12, 2024. Specific information about the registrant, including their name, company, email, and phone number, has been redacted for privacy purposes. The domain utilizes two name servers: NS1.RUNHOSTING.COM and NS2.RUNHOSTING.COM. The absence of registrant details suggests the use of privacy protection services to safeguard the identity of the domain owner.
Whois Record Content:
| Field | Value |
|---|---|
| registrantName | N/A |
| registrantCompany | N/A |
| N/A | |
| Address | Redacted for Privacy Purposes |
| Phone | N/A |
| Registration Date | 2007-05-11 07:35:12 |
| Expiration Date | 2025-05-11 07:35:00 |
| Updated Date | 2024-04-12 06:27:05 |
| registrarName | ENOM, INC. |
| Name Servers | NS1.RUNHOSTING.COM NS2.RUNHOSTING.COM |
The domain ka174f.scienceontheweb.net has been judged to be malicious. This conclusion is drawn from its association with Dynamic Domain Name System (DDNS) technology and its use as a Command and Control (C2) server. The domain is linked with the KONNI malware family, which is known to be associated with cyber-espionage campaigns conducted by Advanced Persistent Threat (APT) groups. These groups often leverage DDNS for its low cost and flexibility, allowing them to dynamically update their C2 server IP addresses and avoid detection. The use of DDNS in conjunction with C2 activities is a strong indicator of the domain's malicious nature.
Whois Record: The domain ka174f.scienceontheweb.net is registered with ENOM, INC. and has been active since May 11, 2007. The registration details are redacted for privacy, which is not uncommon but does not provide any specific leads towards legitimate use.
In-depth Analysis: The domain employs DDNS technology, which is frequently utilized by hackers for remote control operations. This technology allows the domain to alter its IP address dynamically, making it a suitable choice for hosting C2 servers.
Mentioned Articles: The domain has been identified in several threat intelligence reports as being part of the KONNI malware infrastructure, which is linked to APT groups engaged in cyber-espionage activities against various targets. The presence of this domain in such reports, along with its usage of DDNS and C2 functionalities, strongly supports its classification as malicious 123.
The Konni organization first became active in 2014 and was exposed by the Cisco security team in 2017. It mainly launched attacks against Korean financial companies.
2024-02-22, Russian Government Software Backdoored to Deploy Konni RAT An installer for a tool likely used by the Russian Consular Department of the Ministry of Foreign Affairs (MID) has been backdoored to deliver a remote access trojan called Konni RAT (aka UpDog). The findings come from German cybersecurity company DCSO, which linked the activity as originating from the Democratic People's Republic of Korea (DPRK)-nexus actors targeting Russia. The Konni (aka Opal Sleet, Osmium, or TA406) activity cluster has an established pattern of deploying Konni RAT against Russian entities, with the threat actor also linked to attacks directed against MID at least since October 2021. In November 2023, Fortinet FortiGuard Labs revealed the use of Russian-language Microsoft Word documents to deliver malware capable of harvesting sensitive information from compromised Windows hosts. DCSO said the packaging of Konni RAT within software installers is a technique previously adopted by the group in October 2023, when it was found to leverage a backdoored Russian tax filing software named Spravki BK to distribute the trojan. "In this instance, the backdoored installer appears to be for a tool named 'Statistika KZU' (Cтатистика КЗУ)," the Berlin-based company said. "On the basis of install paths, file metadata, and user manuals bundled into the installer, [...] the software is intended for internal use within the Russian Ministry of Foreign Affairs (MID), specifically for the relaying of annual report files from overseas consular posts (КЗУ — консульские загранучреждения) to the Consular Department of the MID via a secure channel." The trojanized installer is an MSI file that, when launched, initiates the infection sequence to establish contact with a command-and-control (C2) server to await further instructions. The remote access trojan, which comes with capabilities for file transfers and command execution, is believed to have been put to use as early as 2014, and has also been utilized by other North Korean threat actors known as Kimsuky and ScarCruft (aka APT37). It's currently not clear how the threat actors managed to get a copy of the installer, given that it's not publicly obtainable. But it's suspected that the long history of espionage operations targeting Russia may have helped them identify prospective tools for subsequent attacks. While North Korea's targeting of Russia is not new, the development comes amid growing geopolitical proximity between the two countries. State media from the Hermit Kingdom reported this week that Russian President Vladimir Putin has given leader Kim Jong Un a luxury Russian-made car. "To some extent, this should not come as a surprise; increasing strategic proximity would not be expected to fully overwrite extant DPRK collection needs, with an ongoing need on the part of the DPRK to be able to assess and verify Russian foreign policy planning and objectives," DCSO said. 5
2023-11-29, Konni Group Attack Detection: North Korean Hackers Leverage Russian-Language Weaponized Word Document to Spread RAT Malware Konni Group Attack Detection: North Korean Hackers Leverage Russian-Language Weaponized Word Document to Spread RAT Malware. Possible evasion of detection measures was noted. 2
2023-11-23, Konni Group Using Russian-Language Malicious Word Docs in Phishing Attacks A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices," Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published this week. The cyber espionage group is notable for its targeting of Russia, with the modus operandi involving the use of spear-phishing emails and malicious documents as entry points for their attacks. Recent attacks documented by Knowsec and ThreatMon have leveraged the WinRAR vulnerability (CVE-2023-38831) as well as obfuscated Visual Basic scripts to drop Konni RAT and a Windows Batch script capable of collecting data from the infected machines. "Konni's primary objectives include data exfiltration and conducting espionage activities," ThreatMon said. "To achieve these goals, the group employs a wide array of malware and tools, frequently adapting their tactics to avoid detection and attribution." The latest attack sequence observed by Fortinet involves a macro-laced Word document that, when enabled, displays an article in Russian that's purportedly about "Western Assessments of the Progress of the Special Military Operation." The Visual Basic for Application (VBA) macro subsequently proceeds to launch an interim Batch script that performs system checks, User Account Control (UAC) bypass, and ultimately paves the way for the deployment of a DLL file that incorporates information gathering and exfiltration capabilities. "The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands," Lin said. Konni is far from the only North Korean threat actor to single out Russia. Evidence gathered by Kaspersky, Microsoft, and SentinelOne shows that the adversarial collective referred to as ScarCruft (aka APT37) has also targeted trading companies and missile engineering firms located in the country. The disclosure also arrives less than two weeks after Solar, the cybersecurity arm of Russian state-owned telecom company Rostelecom, revealed that threat actors from Asia – primarily those from China and North Korea – accounted for a majority of attacks against the country's infrastructure. "The North Korean Lazarus group is also very active on the territory of the Russian Federation," the company said. "As of early November, Lazarus hackers still have access to a number of Russian systems." 3
2023-11-21, Konni Group | Call of Duty Wiki - Fandom On November 21st, 2023, Konni contractors were spotted in London by the MI6, where they were trying to acquire a flash drive from a well-known hacker. 4
2023-12-06, [TLP:WHITE] win_konni_auto (20230808 | Detects win.konni.) rule win_konni_auto Rule win_konni_auto detects the Konni malware. 1
The provided Whois record details a domain registered with ENOM, INC., having its initial registration date on May 11, 2007, and set to expire on May 11, 2025. The most recent update to the registration information was made on April 12, 2024. Specific information about the registrant, including their name, company, email, and phone number, has been redacted for privacy purposes. The domain utilizes two name servers: NS1.RUNHOSTING.COM and NS2.RUNHOSTING.COM. The absence of registrant details suggests the use of privacy protection services to safeguard the identity of the domain owner.
Whois Record Content:
| Field | Value |
|---|---|
| registrantName | N/A |
| registrantCompany | N/A |
| N/A | |
| Address | Redacted for Privacy Purposes |
| Phone | N/A |
| Registration Date | 2007-05-11 07:35:12 |
| Expiration Date | 2025-05-11 07:35:00 |
| Updated Date | 2024-04-12 06:27:05 |
| registrarName | ENOM, INC. |
| Name Servers | NS1.RUNHOSTING.COM NS2.RUNHOSTING.COM |
| IOC | Judge | Tags |
|---|---|---|
| ka174f.scienceontheweb.net | Unknown | DDNS |
| CVE-2023-38831 | Medium | CVSS 7.8 | KEV | PoC Disclosure | Exp Disclosure |