Security News > 2022 > January > North Korean Hackers Start New Year with Attacks on Russian Foreign Ministry

A North Korean cyberespionage group named Konni has been linked to a series of targeted attacks aimed at the Russian Federation's Ministry of Foreign Affairs with New Year lures to compromise Windows systems with malware.

The most recent attacks involved the actor gaining access to the target networks through stolen credentials, exploiting the foothold to load malware for intelligence gathering purposes, with early signs of the activity documented by MalwareBytes as far back as July 2021.

"The timing of this activity closely aligned with the passage of Russian Vaccine Passport laws that mandated Russians had to receive a QR code from the government to prove vaccination in order to access public places such as restaurants and bars," the researchers noted.

The third attack, also corroborated by Cluster25 earlier this week, began on December 20, 2021, using New Year's Eve festivities as a spear-phishing theme to trigger a multi-stage infection chain that culminated in the installation of a remote access trojan named Konni RAT. Specifically, the intrusions transpired by first compromising the email account belonging to a staff member of the MID, from which emails were sent to at least two other MID entities, including the Russian Embassy in Indonesia and Sergey Alexeyevich Ryabkov, a deputy minister overseeing non-proliferation and arms control.

The email missives seemingly propagated a "Happy New Year's" message, only to contain a trojanized screensaver attachment that's designed to retrieve and run next-stage executables from a remote server.

The final stage of the attack is the deployment of the Konni RAT trojan, which conducts reconnaissance of the infected machine and exfiltrates the collected information back to the server.

News URL

https://thehackernews.com/2022/01/north-korean-hackers-start-new-year.html