Pierluigi Paganini January 06, 2022

North Korea-linked APT group Konni targets Russian Federation’s Ministry of Foreign Affairs (MID) new versions of malware implants.

Security researchers at Cluster25 uncovered a recent campaign carried out by the North Korea-linked Konni APT group aimed at Russian diplomatic entities that used new versions of malware implants.

The APT group carried out spear-phishing attacks using New Year’s Eve festivities as a lure. Upon opening the malicious email attachment, a multi-stage attack chain starts, the final payload is a new version of the Konni RAT family.

“The malicious activity starts from an email containing a malicious zip file, which once decompressed drops a malicious downloader able to activate a complex chain of actions finalized to deploy Konni RAT malware, named scrnsvc.dll, as Windows service.” reads the report published by Cluster25.

The KONNI RAT was first spotted by Cisco Talos researchers in 2017, it has been undetected since 2014 and was employed in highly targeted attacks. The RAT was able to avoid detection due to continuous evolution, it is able of executing arbitrary code on the target systems and stealing data.

The Konni RAT has been attributed to North Korea-linked threat actors tracked as Thallium and APT37.

C25 researchers have monitored the activity of the APT group aimed at Russian targets in the diplomatic sector since August 2021. On December 20, the group targeted the Russian Embassy located in Indonesia with spear-phishing messages using the New Year Eve 2022 festivity as decoy theme.

Unlike previous operations, in the last campaign, the spear-phishing messages used a .zip attachment named “поздравление.zip” (“congratulation” in Russian) instead of weaponized office documents, The archive containsand executable that acts as the first stage malware. The spoofed messages used a *@mid.ru account as a sender to trick the victims into believing that it was sent from the Russian Embassy in Serbia.

The Windows x32 executable in the archive, named “поздравление.scr,” was compiled on Dec 20 09:16:02 2021, a circumstance that suggests it was specifically developed to the operation that was uncovered by the C25 team.

The final payload is a x64 Konni RAT version compiled on Dec 20 09:02:38 2021.

The attribution of the attacks to the Konni APT group is based on the similarities of the implant used with previous versions of the Konni RAT, and significant overlap of the kill-chain with the TTPs linked to North Korean linked group, and the use of CAB files as infection stage.

The report published by the experts includes Indicators of Compromise (IoCs) and ATT&CK MATRIX.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]