North Korea Invades Russia With RAT
Share this:
Researchers discovered a campaign carried out by the North Korea-linked Konni APT group aimed at Russian diplomatic entities that used new versions of malware implants.
The APT group carried out spear-phishing attacks using New Year’s Eve festivities as a lure. Upon opening the malicious email attachment, a multi-stage attack chain starts, the final payload is a new version of the Konni RAT family.
The malicious activity starts from an email containing a malicious zip file, which once decompressed drops a malicious downloader able to activate a complex chain of actions finalized to deploy Konni RAT malware, named scrnsvc.dll, as Windows service. The RAT was able to avoid detection due to continuous evolution, it is able of executing arbitrary code on the target systems and stealing data. The Konni RAT has been attributed to North Korea-linked threat actors tracked as Thallium and APT37.
The activity of the APT group aimed at Russian targets in the diplomatic sector since August 2021. On December 20, the group targeted the Russian Embassy located in Indonesia with spear-phishing messages using the New Year Eve 2022 festivity as decoy theme.
The spear-phishing messages used a .zip attachment named “поздравление.zip” instead of weaponized office documents, the archive contains executables that acts as the first stage malware. The spoofed messages used a *@mid.ru account as a sender to trick the victims into believing that it was sent from the Russian Embassy in Serbia.
The Windows x32 executable in the archive, named “поздравление.scr,” was compiled on Dec 20 09:16:02 2021, a circumstance that suggests it was specifically developed to the operation that was uncovered by the C25 team.
The final payload is a x64 Konni RAT version compiled on Dec 20 09:02:38 2021. The attribution of the attacks to the Konni APT group is based on the similarities of the implant used with previous versions of the Konni RAT, and significant overlap of the kill-chain with the TTPs linked to North Korean linked group, and the use of CAB files as infection stage.
Indicators of Compromise
| 53b687202e69dd8d5e2e841036c96a12b93971c9ff99ca54c109c491e7ad8eba |
| 189fdac8fd88d61ba9cbd4f7d27561a6f60a9666 |
| ad152ab451527cf2baa96304c6ecd383 |
| 72185f9dbf66d0e5dc0e1873934c183bc120708085c0de8a0e2a748f10f77de8 |
| b433cc324a785e1d0291c961e2816e91a9549057 |
| 3462e40caeec0fa52bd3c04ad8cbc9d3 |
| 451b9d4144555fcc791231db73ef3bfdb6ffddeb655e07a457108766f0e6ad39 |
| fb7d9bc8309f589e39e091ef5a7b08260596ffcd |
| 8ec9a6ff22c497375b53344cafeb2292 |
| 4ca8ac99b2416d8fae67a8b18a58c8d267b7e2b72af1ee0369f2470a030af8c7 |
| 6883e1c2c1f3656cb756264fde77f88ebcde541c |
| 446ea8033ae343971312745c79fced2e |
| b6845a436df2b3a79dd1b0e4a57a06c60f718eee0272a3eb81183ee4750037b9 |
| 191604259def68250272919214aea109503200fe |
| 8269e1b2afaa832e7900640ebfe44bb4 |
| 24f5fb91ca41e4a191a44629f064fa14c4063b7cda68ebc2b7afb7e68a9d3cdd |
| f08c033d1a9f2f75a17cbcb71e3041263d2d3e61 |
| 58560f053a099104b0f8ac1c9fed2903 |
| a3cd08afd7317d1619fba83c109f268b4b60429b4eb7c97fc274f92ff4fe17a2 |
| c1d312762d598831d431b08e47075047582856aa |
| 57a22e74ba27b034613b0c6ac54a10d5 |
| 8f7037aaf27bb58a15f946bd3a30cb468078a7ee9addcc4ba89440b2114e4c83 |
| fc54cefe956ed5360418c0165cf2a687bbeb62fc |
| 954fe31816f2f7f095244573de8f9086 |
| i758769.atwebpages.com |
| 455686.c1.biz |
| h378576.atwebpages.com |
| http://i758769.atwebpages.com/index.php?user_id=18756&type=1 |
| http://455686.c1.biz/dn.php?name=HOME-DESK&prefix=tt |
| http://h378576.atwebpages.com /dn.php?name=HOME-DESK&prefix=tt |
