A new and ongoing malware campaign targetting Russia. The payload dropped by threat actors in this attack is the Konni RAT being used by the North Korean Black Hat group of hackers known as Thallium and APT37.

North Korea was also hit by Konni RAT days after a missile test way back in 2017. The hackers behind Konni malware campaigns might be of Korean origin, and the attacks were probably originating from South Korea.

The attack technique involves social engineering techniques such as luring the victim into downloading a document file weaponized with a malicious macro. Once the victim enables macro it executes a chain of activities including deployment of a new variant of Konni RAT that is heavily obfuscated.

Konni Rat is equipped with screen capturing and keylogging capabilities due to which it manages to steal data from targeted computers. In the ongoing campaign, the malware uses cmd /c systeminfo command to collect device information including:

Researchers have identified two documents that are being used in the campaign. One of the documents addresses trade and economic issues between the Korean Peninsula and Russia while the other document claims to address MOM between the inter governmental Russian-Mongolian commission. Both are written in Russian language. Below are the countries where the traces of campaign found.

  • Japan
  • Nepal
  • Mongolia
  • Vietnam

The threat actors behind the new variant of Konni RAT have so far managed to evade detection against most of the used anti-virus products.