A recent cybersecurity revelation has shed light on the KONNI malware, a tool associated with North Korean cyber operations targeting the Russian Ministry of Foreign Affairs. This discovery was made by the German cybersecurity firm DCSO, which found a malware sample uploaded to VirusTotal in January 2024, believed to be part of a larger operation aimed at the Russian MID.

KONNI, a malware tool first identified in 2014, is linked to Democratic People’s Republic of Korea (DPRK)-nexus actors such as the Konni Group and TA406. It possesses unique capabilities, including data theft functions and remote administration features. The malware is typically installed via an MSI file, with encrypted C2 servers and a CustomAction for payload selection and detection.

Researchers analyzing the KONNI sample highlighted that its command set remains consistent, allowing operators to execute various tasks like file upload/download, command execution, communication via HTTP, and archiving files into .CAB format. This sophisticated tool has been used in numerous cyberespionage campaigns targeting Russian entities.

Notably, the latest discovery revealed that a backdoored Russian language software installer was responsible for delivering the KONNI malware. The software in question, known as “Statistika KZU,” is used within the Russian MID for relaying annual report files from overseas consular posts to the Consular Department. Two detailed user manuals were found within the backdoored installer, outlining the software installation and usage procedures.

Further investigation revealed no direct connections between the MID’s software and the backdoored installer, but references to contracts, including automated system maintenance and data protection software procurement orders, were noted. This discovery comes amidst growing geopolitical concerns, with recent events witnessing increased proximity between Russia and North Korea following Russia’s involvement in the Ukrainian invasion.

The relationship between Russia and North Korea in the cybersecurity realm has been tumultuous, with previous incidents highlighting cyber threats posed by both nations. In August 2023, elite North Korean hackers associated with groups like OpenCarrot and the Lazarus group breached NPO Mashinostroyeniya, a critical Russian missile developer, showcasing the capabilities and determination of the attackers.

KONNI malware has been previously utilized in cyber campaigns targeting Russian agencies, with various incidents reported over the years. The malware has been used to target Windows systems through malicious Word documents with macros and has been associated with campaigns using Russian language lures on trade and economic issues.

Experts emphasize that espionage activities, such as those involving KONNI malware, often aim for persistent long-term infections with precise targeting strategies. The use of backdoors in software exclusively used by the Russian Foreign Ministry demonstrates a meticulous approach by North Korean threat actors in their cyber operations.

Overall, the discovery of KONNI malware targeting the Russian Ministry of Foreign Affairs underscores the evolving landscape of cybersecurity threats and the geopolitical implications of such activities. It serves as a reminder of the complex interplay between nation-states in the digital realm and the ongoing efforts to secure critical infrastructure and sensitive information from malicious actors.

Source link