Home Cyber Security Konni Group Utilizing Russian-Language Malicious Phrase Docs in Newest Assaults

Konni Group Utilizing Russian-Language Malicious Phrase Docs in Newest Assaults

Konni Group Utilizing Russian-Language Malicious Phrase Docs in Newest Assaults


Nov 23, 2023NewsroomMalware / Cyber Espionage

Espionage Attacks

A brand new phishing assault has been noticed leveraging a Russian-language Microsoft Phrase doc to ship malware able to harvesting delicate info from compromised Home windows hosts.

The exercise has been attributed to a risk actor referred to as Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43).

“This marketing campaign depends on a distant entry trojan (RAT) able to extracting info and executing instructions on compromised gadgets,” Fortinet FortiGuard Labs researcher Cara Lin stated in an evaluation revealed this week.

The cyber espionage group is notable for its concentrating on of Russia, with the modus operandi involving using spear-phishing emails and malicious paperwork as entry factors for his or her assaults.


Latest assaults documented by Knowsec and ThreatMon have leveraged the WinRAR vulnerability (CVE-2023-38831) in addition to obfuscated Visible Fundamental scripts to drop Konni RAT and a Home windows Batch script able to amassing knowledge from the contaminated machines.

“Konni’s major targets embrace knowledge exfiltration and conducting espionage actions,” ThreatMon stated. “To realize these targets, the group employs a big selection of malware and instruments, incessantly adapting their ways to keep away from detection and attribution.”

The most recent assault sequence noticed by Fortinet includes a macro-laced Phrase doc that, when enabled, shows an article in Russian that is purportedly about “Western Assessments of the Progress of the Particular Navy Operation.”

The Visible Fundamental for Software (VBA) macro subsequently proceeds to launch an interim Batch script that performs system checks, Person Account Management (UAC) bypass, and in the end paves the best way for the deployment of a DLL file that comes with info gathering and exfiltration capabilities.

“The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the risk actor to execute privileged instructions,” Lin stated.


Konni is much from the one North Korean risk actor to single out Russia. Proof gathered by Kaspersky, Microsoft, and SentinelOne reveals that the adversarial collective known as ScarCruft (aka APT37) has additionally focused buying and selling corporations and missile engineering corporations situated within the nation.

The disclosure additionally arrives lower than two weeks after Photo voltaic, the cybersecurity arm of Russian state-owned telecom firm Rostelecom, revealed that risk actors from Asia – primarily these from China and North Korea – accounted for a majority of assaults towards the nation’s infrastructure.

“The North Korean Lazarus group can be very lively on the territory of the Russian Federation,” the corporate stated. “As of early November, Lazarus hackers nonetheless have entry to a lot of Russian programs.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.


Supply hyperlink


Please enter your comment!
Please enter your name here