New Konni Campaign Kicks Off The New Year By Targeting Russian Ministry Of Foreign Affairs
Contents
New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs
Executive Summary
Black Lotus Labs, the threat research team of Lumen Technologies, uncovered a series of targeted actions against the Russian Federation’s Ministry of Foreign Affairs (MID). Based upon the totality of information available and the close correlation with prior reporting, we assess with moderate confidence these actions leveraged the Konni malware, which has previously been associated with the Democratic People’s Republic of Korea, and were undertaken to establish access to the MID network for the purpose of espionage. This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks. After gaining access through stolen credentials, the actor was able to exploit trusted connections to distribute and load the malware, first by impersonating a government software program coinciding with new Covid mandates, and then through sending trojanized files …
Executive Summary
Black Lotus Labs, the threat research team of Lumen Technologies, uncovered a series of targeted actions against the Russian Federation’s Ministry of Foreign Affairs (MID). Based upon the totality of information available and the close correlation with prior reporting, we assess with moderate confidence these actions leveraged the Konni malware, which has previously been associated with the Democratic People’s Republic of Korea, and were undertaken to establish access to the MID network for the purpose of espionage. This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks. After gaining access through stolen credentials, the actor was able to exploit trusted connections to distribute and load the malware, first by impersonating a government software program coinciding with new Covid mandates, and then through sending trojanized files …
IoC
152.89.247.26
http://152.89.247.26
http://carnegieinsider.com
http://e.mail.ru.settings.pronto-login.com
http://h378576.atwebpages.com
http://h378576.atwebpages.com/up.php?name=COMPUTER_NAME
http://i758769.atwebpages.com
http://i758769.atwebpages.com/info.php
http://mid.ru
http://passport.yandex.ru-settings.pronto-login.com
http://portal.newint-mid.ru.carnegieinsider.com
http://pronto-login.com
http://victory-2020.atwebpages.com
[email protected]
[email protected]
[email protected]
http://152.89.247.26
http://carnegieinsider.com
http://e.mail.ru.settings.pronto-login.com
http://h378576.atwebpages.com
http://h378576.atwebpages.com/up.php?name=COMPUTER_NAME
http://i758769.atwebpages.com
http://i758769.atwebpages.com/info.php
http://mid.ru
http://passport.yandex.ru-settings.pronto-login.com
http://portal.newint-mid.ru.carnegieinsider.com
http://pronto-login.com
http://victory-2020.atwebpages.com
[email protected]
[email protected]
[email protected]