A new phishing attack has been noticed leveraging a Russian-language Microsoft Term document to produce malware able of harvesting delicate information and facts from compromised Windows hosts.
The exercise has been attributed to a threat actor referred to as Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43).
“This marketing campaign depends on a distant entry trojan (RAT) able of extracting data and executing commands on compromised products,” Fortinet FortiGuard Labs researcher Cara Lin said in an investigation revealed this week.
The cyber espionage group is notable for its targeting of Russia, with the modus operandi involving the use of spear-phishing e-mail and malicious files as entry points for their attacks.
New attacks documented by Knowsec and ThreatMon have leveraged the WinRAR vulnerability (CVE-2023-38831) as effectively as obfuscated Visible Essential scripts to drop Konni RAT and a Windows Batch script able of accumulating knowledge from the contaminated equipment.
“Konni’s principal targets include details exfiltration and conducting espionage routines,” ThreatMon explained. “To reach these goals, the group employs a extensive array of malware and instruments, frequently adapting their practices to steer clear of detection and attribution.”
The most current attack sequence observed by Fortinet will involve a macro-laced Term doc that, when enabled, displays an report in Russian which is purportedly about “Western Assessments of the Development of the Special Military services Procedure.”
The Visual Essential for Software (VBA) macro subsequently proceeds to start an interim Batch script that performs program checks, User Account Handle (UAC) bypass, and in the end paves the way for the deployment of a DLL file that incorporates information gathering and exfiltration abilities.
“The payload incorporates a UAC bypass and encrypted interaction with a C2 server, enabling the risk actor to execute privileged commands,” Lin said.
Konni is much from the only North Korean menace actor to one out Russia. Proof gathered by Kaspersky, Microsoft, and SentinelOne exhibits that the adversarial collective referred to as ScarCruft (aka APT37) has also qualified trading corporations and missile engineering firms found in the place.
The disclosure also comes significantly less than two months following Solar, the cybersecurity arm of Russian point out-owned telecom business Rostelecom, disclosed that danger actors from Asia – principally those from China and North Korea – accounted for a the vast majority of attacks from the country’s infrastructure.
“The North Korean Lazarus team is also really active on the territory of the Russian Federation,” the enterprise reported. “As of early November, Lazarus hackers nevertheless have obtain to a variety of Russian programs.”
Discovered this write-up attention-grabbing? Comply with us on Twitter and LinkedIn to browse a lot more exclusive written content we post.
Some parts of this report are sourced from: