North Koreans are looking to steal sensitive data from Russian targets using malicious Microsoft Word documents, experts have claimed.
These are the findings of Fortinet’s researcher Cara Lin, who observed a group called Konni (but could be Kimsuky AKA APT43 due to a number of overlaps it has with the known threat actor) trying to deliver a malicious Russian-language Microsoft document to its victims.
The malware, as you might expect, comes in the form of a macro. This script will launch an interim Batch script that will check the system, bypass User Account Control (UAC) settings, and finally deploy an infostealing DLL.
Friend or foe?
“This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices,” Lin said in the report. “The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands.”
The document being distributed carries an article in the Russian language, allegedly about “Western assessments of the progress of the Special Military Operation”.
In its writeup, The Hacker News says Konni is “notable” for its targeting of Russia.
Most of the time, the group would engage in spear-phishing emails and malicious documents in order to gain access to target endpoints. Earlier attacks, spotted by cybersecurity researchers Knowsec and ThreatMon, abused a vulnerability in WinRAR (CVE-2023-38831), it was added. “Konni’s primary objectives include data exfiltration and conducting espionage activities,” ThreatMon said. “To achieve these goals, the group employs a wide array of malware and tools, frequently adapting their tactics to avoid detection and attribution.”
This is not the first time we’ve seen North Korean hackers targeting Russian firms. Last summer, two separate groups – ScarCruft and Lazarus Group, went for NPO Mashinostroyenia, an important Russian missile engineering company. While ScarCruft managed to compromise “sensitive internal IT infrastructure”, including an email server, Lazarus used a Windows backdoor known as OpenCarrot.