A recent phishing campaign has surfaced, utilizing a Russian-language Microsoft Word document as a vehicle for deploying malware designed to extract sensitive data from compromised Windows systems. This attack has been linked to a threat actor known as Konni, which exhibits connections to the North Korean cyber espionage group identified as Kimsuky (also referred to as APT43).
According to a report by Fortinet’s FortiGuard Labs, researcher Cara Lin noted that the campaign employs a remote access Trojan (RAT) capable of gathering information and executing commands on infiltrated devices. This aligns with Konni’s historical methods, which often involve spear-phishing tactics and the distribution of malicious documents to initiate their attacks.
The group is recognized for its targeting of various organizations within Russia, particularly government-related entities and think tanks. Their operational strategy typically incorporates the use of spear-phishing emails combined with compromised documents as gateways into their chosen targets, allowing them to advance their cyber espionage endeavors.
Recent findings from cybersecurity firms like Knowsec and ThreatMon revealed that attacking methods have also included exploiting the WinRAR vulnerability (CVE-2023-38831) and using obfuscated Visual Basic scripts to deploy the Konni RAT and a Windows Batch script equipped to collect data from affected machines. This approach underscores Konni’s primary objectives of data exfiltration and the conduct of espionage activities, utilizing a diverse arsenal of malware and tactics to evade detection.
The latest observations by Fortinet noted an attack sequence initiated by a macro-enabled Word document, which, once activated, delivers a Russian article concerning “Western Assessments of the Progress of the Special Military Operation.” Following this, a Visual Basic for Applications (VBA) macro executes an interim Batch script that assesses system settings, bypasses User Account Control (UAC), and subsequently facilitates the introduction of a DLL file adept at collecting and exfiltrating information from the targeted systems.
Lin emphasized that the malware payload comprises a UAC bypass and encrypted communication with a command and control server, allowing the actors to issue privileged commands on compromised devices. This reflects a sophisticated use of tactics categorized under the MITRE ATT&CK framework, including initial access through phishing, persistence via malware deployment, and privilege escalation techniques to maintain remote access.
Konni is part of a broader landscape of North Korean threat actors actively targeting Russian entities. Evidence collected by firms such as Kaspersky confirms that various groups, including ScarCruft (also known as APT37), have similarly focused on trading companies and missile engineering firms situated in Russia.
This disclosure comes in the wake of findings from Solar, the cybersecurity branch of Russian state telecommunications provider Rostelecom, which highlighted that threat actors from Asia—most notably those from China and North Korea—constitute a significant portion of cyber incidents targeting Russian infrastructure. As of early November, it was reported that the North Korean Lazarus group continues to maintain access to multiple Russian systems, indicating an ongoing and evolving threat landscape.
