November 23, 2023 at 10:06AM
A new phishing attack carried out by a cyber espionage group called Konni has been observed. The attackers are using a Russian-language Microsoft Word document to deliver malware that can collect sensitive information from compromised Windows hosts. The group is known for targeting Russia and uses spear-phishing emails and malicious documents as entry points for their attacks. Recent attacks have utilized the WinRAR vulnerability and obfuscated Visual Basic scripts. The latest attack involves a macro-laced Word document that enables the deployment of a DLL file with information gathering and exfiltration capabilities.
Key takeaways from the meeting notes:
1. There is a new phishing attack using a Russian-language Microsoft Word document to distribute malware and harvest sensitive information from compromised Windows devices.
2. The attack has been attributed to a threat actor called Konni, who is believed to have connections to a North Korean group known as Kimsuky (aka APT43).
3. Konni’s primary targets are in Russia, and they use spear-phishing emails and malicious documents as entry points for their attacks.
4. Recent attacks have exploited the WinRAR vulnerability (CVE-2023-38831) and used obfuscated Visual Basic scripts to drop Konni RAT and a Windows Batch script for data collection.
5. The latest attack observed by Fortinet involves a macro-laced Word document that displays a Russian article and launches a Batch script for system checks and UAC bypass.
6. Konni’s payload includes a UAC bypass and encrypted communication with a C2 server to execute privileged commands.
7. Another North Korean threat actor known as ScarCruft (aka APT37) has also targeted companies in Russia.
8. The cybersecurity arm of Russian state-owned telecom company Rostelecom has found that Asian threat actors, particularly from China and North Korea, are responsible for the majority of attacks on Russia’s infrastructure.
9. The Lazarus group, which is associated with North Korea, still has access to some Russian systems.
These takeaways provide insights into the latest cybersecurity threats related to malware and cyber espionage, specifically targeting Russia and involving North Korean threat actors.