North Korea-linked Konni APT uses Russian-language weaponized documents

Pierluigi Paganini November 24, 2023

North Korea-linked Konni APT group used Russian-language Microsoft Word documents to deliver malware.

FortiGuard Labs researchers observed the North Korea-linked Konni APT group using a weaponized Russian-language Word document in an ongoing phishing campaign.

The KONNI RAT was first spotted by Cisco Talos researchers in 2017, it has been undetected since 2014 and was employed in highly targeted attacks. The RAT was able to avoid detection due to continuous evolution, it is able to execute arbitrary code on the target systems and steal data.

In the ongoing campaign, threat actors used a remote access trojan (RAT) to extract information and execute commands on targets’ devices.

“FortiGuard Labs recently identified the use of a Russian-language Word document equipped with a malicious macro in the ongoing Konni campaign.” reads the report published by Fortinet. “Despite the document’s creation date of September, ongoing activity on the campaign’s C2 server is evident in internal telemetry”

Konni APT

Upon opening the document, a yellow prompt bar appears and attempts to trick the victim into “Enable Content.” The Word document seems to be in the Russian language.

Upon enabling the macro, the embedded VBA displays a Russian article titled “Western Assessments of the Progress of the Special Military Operation.”

Konni APT

The macro launches the “check.bat” script using the “vbHide” parameter to avoid presenting a command prompt window to the victim.

The Batch script conducts system checks and UAC bypass. Subsequently, it executes actions to deploy a DLL file endowed with information gathering and data exfiltration capabilities.

The malicious code uploads the exfiltrated, encrypted data to the C2 server via a POST request.

Although the C2 server hasn’t disclosed the actual command, experts can deduce it from the DLL file’s assembly code.

“The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands.” concludes the report. “As this malware continues to evolve, users are advised to exercise caution with suspicious documents.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Konni APT)

you might also like

leave a comment