Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks

A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts.

The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43).

“This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices,” Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published this week.

The cyber espionage group is notable for its targeting of Russia, with the modus operandi involving the use of spear-phishing emails and malicious documents as entry points for their attacks.

Recent attacks documented by Knowsec and ThreatMon have leveraged the WinRAR vulnerability (CVE-2023-38831) as well as obfuscated Visual Basic scripts to drop Konni RAT and a Windows Batch script capable of collecting data from the infected machines.

“Konni’s primary objectives include data exfiltration and conducting espionage activities,” ThreatMon said. “To achieve these goals, the group employs a wide array of malware and tools, frequently adapting their tactics to avoid detection and attribution.”

The latest attack sequence observed by Fortinet involves a macro-laced Word document that, when enabled, displays an article in Russian that’s purportedly about “Western Assessments of the Progress of the Special Military Operation.”

The Visual Basic for Application (VBA) macro subsequently proceeds to launch an interim Batch script that performs system checks, User Account Control (UAC) bypass, and ultimately paves the way for the deployment of a DLL file that incorporates information gathering and exfiltration capabilities.

“The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands,” Lin said.

Konni is far from the only North Korean threat actor to single out Russia. Evidence gathered by Kaspersky, Microsoft, and SentinelOne shows that the adversarial collective referred to as ScarCruft (aka APT37) has also targeted trading companies and missile engineering firms located in the country.

The disclosure also arrives less than two weeks after Solar, the cybersecurity arm of Russian state-owned telecom company Rostelecom, revealed that threat actors from Asia – primarily those from China and North Korea – accounted for a majority of attacks against the country’s infrastructure.

“The North Korean Lazarus group is also very active on the territory of the Russian Federation,” the company said. “As of early November, Lazarus hackers still have access to a number of Russian systems.”