September 30, 2023
Member Alert - News

Researchers discovered a campaign carried out by the North Korea-linked Konni APT group aimed at Russian diplomatic entities that used new versions of malware implants.

The APT group carried out spear-phishing attacks using New Year’s Eve festivities as a lure. Upon opening the malicious email attachment, a multi-stage attack chain starts, the final payload is a new version of the Konni RAT family.

The malicious activity starts from an email containing a malicious zip file, which once decompressed drops a malicious downloader able to activate a complex chain of actions finalized to deploy Konni RAT malware, named scrnsvc.dll, as Windows service. The RAT was able to avoid detection due to continuous evolution, it is able of executing arbitrary code on the target systems and stealing data. The Konni RAT has been attributed to North Korea-linked threat actors tracked as Thallium and APT37.

Advertisements

The activity of the APT group aimed at Russian targets in the diplomatic sector since August 2021. On December 20, the group targeted the Russian Embassy located in Indonesia with spear-phishing messages using the New Year Eve 2022 festivity as decoy theme.

The spear-phishing messages used a .zip attachment named “поздравление.zip” instead of weaponized office documents, the archive contains executables that acts as the first stage malware. The spoofed messages used a *@mid.ru account as a sender to trick the victims into believing that it was sent from the Russian Embassy in Serbia.

The Windows x32 executable in the archive, named “поздравление.scr,” was compiled on Dec 20 09:16:02 2021, a circumstance that suggests it was specifically developed to the operation that was uncovered by the C25 team.

Advertisements

The final payload is a x64 Konni RAT version compiled on Dec 20 09:02:38 2021. The attribution of the attacks to the Konni APT group is based on the similarities of the implant used with previous versions of the Konni RAT, and significant overlap of the kill-chain with the TTPs linked to North Korean linked group, and the use of CAB files as infection stage.

Indicators of Compromise

53b687202e69dd8d5e2e841036c96a12b93971c9ff99ca54c109c491e7ad8eba
189fdac8fd88d61ba9cbd4f7d27561a6f60a9666
ad152ab451527cf2baa96304c6ecd383
72185f9dbf66d0e5dc0e1873934c183bc120708085c0de8a0e2a748f10f77de8
b433cc324a785e1d0291c961e2816e91a9549057
3462e40caeec0fa52bd3c04ad8cbc9d3
451b9d4144555fcc791231db73ef3bfdb6ffddeb655e07a457108766f0e6ad39
fb7d9bc8309f589e39e091ef5a7b08260596ffcd
8ec9a6ff22c497375b53344cafeb2292
4ca8ac99b2416d8fae67a8b18a58c8d267b7e2b72af1ee0369f2470a030af8c7
6883e1c2c1f3656cb756264fde77f88ebcde541c
446ea8033ae343971312745c79fced2e
b6845a436df2b3a79dd1b0e4a57a06c60f718eee0272a3eb81183ee4750037b9
191604259def68250272919214aea109503200fe
8269e1b2afaa832e7900640ebfe44bb4
24f5fb91ca41e4a191a44629f064fa14c4063b7cda68ebc2b7afb7e68a9d3cdd
f08c033d1a9f2f75a17cbcb71e3041263d2d3e61
58560f053a099104b0f8ac1c9fed2903
a3cd08afd7317d1619fba83c109f268b4b60429b4eb7c97fc274f92ff4fe17a2
c1d312762d598831d431b08e47075047582856aa
57a22e74ba27b034613b0c6ac54a10d5
8f7037aaf27bb58a15f946bd3a30cb468078a7ee9addcc4ba89440b2114e4c83
fc54cefe956ed5360418c0165cf2a687bbeb62fc
954fe31816f2f7f095244573de8f9086
i758769.atwebpages.com
455686.c1.biz
h378576.atwebpages.com
http://i758769.atwebpages.com/index.php?user_id=18756&type=1
http://455686.c1.biz/dn.php?name=HOME-DESK&prefix=tt
http://h378576.atwebpages.com /dn.php?name=HOME-DESK&prefix=tt

Leave a Reply

%d bloggers like this: