North Korean 'Konni' APT Weaponizes Google Ads to Deliver EndRAT Malware
Operation Poseidon: North Korean APT Konni Abuses Google Advertising URLs for Malware Delivery
Full Report
Executive Summary
Security researchers have uncovered a new campaign, "Operation Poseidon," attributed to the North Korea-linked Konni APT group. This operation demonstrates a significant evolution in tactics by abusing Google's advertising platform as a redirection and obfuscation service. By embedding malicious links within legitimate-looking Google ad URLs, the attackers are able to bypass many email security solutions and gain user trust. The final payload is a remote access trojan known as EndRAT, delivered via a multi-stage process involving an AutoIt script.
Threat Overview
"Operation Poseidon" is a spear-phishing campaign that leverages a clever abuse of a legitimate service. Instead of directly linking to a malicious domain, the phishing emails contain a URL that points to Google's advertising platform. This link then redirects the user to the attacker's malware delivery infrastructure. This technique is effective because traffic to and from google.com is almost universally trusted and allowed through firewalls and proxies. The campaign also employs additional evasion techniques, such as stuffing phishing emails with "meaningless invisible English text" to confuse AI-based detection engines that analyze text for malicious sentiment or patterns.
Technical Analysis
The attack chain for Operation Poseidon follows these steps:
- Initial Access: A spear-phishing email is sent to the target containing a specially crafted Google advertising URL (
T1566.002 - Spearphishing Link). - Defense Evasion & Execution: The user clicks the link, which appears legitimate. The Google Ads platform redirects the user to a malicious server, which delivers a file masquerading as a PDF. This file is actually a compiled AutoIt script (
T1218.001 - Compiled HTML File). Executing this script begins the malware installation process. - Payload Delivery: The AutoIt script is responsible for dropping and executing the final payload, EndRAT (
T1105 - Ingress Tool Transfer). - Command and Control: Once active, EndRAT establishes a C2 channel back to the Konni operators, allowing for remote control, data exfiltration, and further actions on the compromised system.
The use of internal version numbers like client3.3.14 within the malware indicates that EndRAT is under active and continuous development by the threat actor, suggesting a long-term and committed operation.
Impact Assessment
A successful infection with EndRAT provides the Konni APT group with persistent access to the victim's network. This can be leveraged for cyber espionage, data theft, and as a foothold for broader network intrusion. The abuse of trusted platforms like Google Ads poses a significant risk, as it lowers the effectiveness of standard security controls and makes it harder for users to identify malicious links. This campaign highlights the need for defense-in-depth and an assumption that even traffic from trusted sources can be weaponized.
IOCs
No specific IOCs (domains, hashes) were provided in the source articles.
Cyber Observables for Detection
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| process_name | AutoIt3.exe |
Execution of the AutoIt interpreter. This is highly anomalous in most corporate environments. | EDR logs, Windows Event ID 4688 | high |
| command_line_pattern | AutoIt3.exe /AutoIt3ExecuteScript "<path_to_script>" |
Command line used to execute a malicious AutoIt script. | EDR command line logging | high |
| network_traffic_pattern | DNS queries or HTTP requests immediately following a redirect from a known ad platform URL (e.g., googleadservices.com). |
Can indicate a user being redirected from a malicious ad to a malware dropper site. | DNS logs, proxy logs | medium |
| email_artifact | Emails containing large blocks of hidden or zero-font-size text. | Evasion technique used to bypass AI/ML email filters. | Email gateway content analysis | medium |
Detection & Response
- D3FEND: Process Analysis (
D3-PA): Monitor for the execution ofAutoIt3.exe. Unless AutoIt is a standard tool in your environment, any execution should be treated as suspicious and investigated. - URL Analysis: Use an email security gateway or proxy that can follow redirects and analyze the final destination URL for malicious content, rather than just trusting the initial link.
- D3FEND: Executable Allowlisting (
D3-EAL): Implement application control policies to block the execution of unauthorized scripting engines like AutoIt. - Threat Hunting: Proactively hunt for the presence of compiled AutoIt scripts (
.a3xfiles) or executables on endpoints, especially in user download folders or temporary directories.
Mitigation
- User Training: Educate users about the risk of malvertising and the tactic of abusing legitimate services. Emphasize caution even when a link appears to originate from a trusted domain like Google.
- Restrict Scripting Engines: If not required for business purposes, use application control to block the execution of interpreters like
AutoIt3.exe,PowerShell.exe(for standard users), andcscript.exe. - Enhanced Email Filtering: Deploy email security solutions that can perform deep content inspection, including analyzing for hidden text and following URL chains to their final destination.
- D3FEND: Outbound Traffic Filtering (
D3-OTF): Implement egress filtering to block C2 traffic to unknown or uncategorized domains, which can prevent malware like EndRAT from communicating with its operators.
Timeline of Events
MITRE ATT&CK Mitigations
User Training
Train users to be suspicious of links, even from trusted domains, and to verify the final destination of URLs before providing credentials or downloading files.
Execution Prevention
Use application control solutions to block the execution of unauthorized scripting tools like AutoIt.
Mapped D3FEND Techniques:
Restrict Web-Based Content
Use web filtering and URL analysis to block access to known malicious domains and newly registered domains, which are often used for malware delivery.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
Implement a strict application control policy using a tool like Windows Defender Application Control or AppLocker. Specifically, create rules to block the execution of AutoIt3.exe and its associated script files (.au3, .a3x). Since AutoIt is not a standard business application in most enterprises, blocking it entirely is a highly effective way to break the 'Operation Poseidon' attack chain at the execution stage. This prevents the EndRAT payload from being installed even if a user is tricked into downloading the initial dropper. Start by deploying this policy in audit mode to identify any legitimate use cases before moving to full enforcement.
Deploy an advanced email security gateway and web proxy that can perform deep URL analysis and follow redirection chains. The solution should not just trust the initial googleadservices.com link but should recursively follow the redirects to the final landing page and analyze its content for malicious scripts or downloads. Configure policies to block or issue strong warnings for URLs that have been recently registered or are hosted on dynamic DNS services. This countermeasure addresses the core tactic of abusing legitimate redirectors by inspecting the true destination of the link.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats