Konni APT Exploits WinRAR Vulnerability (CVE-2023-38831) To Attack The Digital Currency Industry

Konni, a North Korean APT group, launched the first attack against the cryptocurrency industry, exploiting a recently found WinRAR vulnerability tagged as CVE-2023-38831.

According to the study, Konni’s decision to focus on the cryptocurrency market was unusual; typically, North Korea’s notorious Lazarus Group targets the financial and crypto industries.

“The attack target of the Konni organization captured this time is very different from the past. It is speculated that the Konni organization may be opening up a new attack direction”, Chuangyu 404 Advanced Threat Intelligence Team.

FREE Webinar

Live DDoS Attack Simulation

Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.

Attack Execution

This time, the sample is called “wallet_Screenshot_2023_09_06_Qbao_Network.zip.” The Qbao Network is a smart cryptocurrency wallet service.

QbaoNetwork is a smart encryption wallet. It seeks to provide a gateway into the blockchain community and a blockchain ecological platform. 

It incorporates cross-chain digital currency wallets, payment settlements, token exchanges, social networks, news quotations, the DAPP Store, and other features.

The sample analyzed executes malicious payloads using the recently discovered Winrar vulnerability (CVE-2023-38831). 

The victim clicks the html file in the compressed file, and the carefully made directory with the identical name is opened. Execution of the malicious payload bearing the same name will occur.

Malicious payload with the same name will be executed

The cybersecurity company Group-IB discovered this vulnerability, tracked as CVE-2023-38831. Following that, WinRAR issued a patch to address this issue, but customers were still in danger since they had not updated their fixed version.

Hence, Konni’s introduction into this industry suggests that North Korean hackers have a larger plan to attack financial institution’s networks and cryptocurrency exchanges. 

Konni has shown the evolvability of APT attacks by taking advantage of a novel vulnerability and a change in the sectors it targets. The Konni hack acts as an awakening for the cryptocurrency and cybersecurity community.

To protect against these sophisticated and constantly evolving attacks, the cryptocurrency industry must be alert and proactive in upgrading its security procedures. Particularly, customers are advised to update their application version.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.