The North Korean threat group Konni is using AI-assisted PowerShell malware to target engineers and developers in the blockchain industry. The attack begins with a Discord link delivering a ZIP archive containing a malicious shortcut file and a PDF lure. When executed, the shortcut launches a PowerShell loader that extracts a decoy document and a CAB archive containing the backdoor and supporting scripts.
The malware employs sophisticated obfuscation and establishes persistence via a scheduled task disguised as a OneDrive process. Researchers at Check Point note that the code's structure, documentation, and specific comments are characteristic of large language model-generated scripts, indicating AI-assisted development. Before activating, the malware performs anti-analysis checks to avoid detection in virtualized environments.
Once running, the backdoor communicates with a command-and-control server, sending host metadata and executing any PowerShell commands received in response. Based on similarities in tactics and infrastructure, Check Point attributes this campaign to the Konni group, which has a history of targeting organizations in the Asia-Pacific region. This operation highlights the evolving use of AI by state-sponsored actors to create more sophisticated and evasive malware for financial espionage.
Read more...