New variant of Konni malware used in campaign targetting Russia
Contents
This blog post was authored by Hossein Jazi
In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37.
We discovered two documents written in Russian language and weaponized with the same malicious macro. One of the lures is about the trade and economic issues between Russia and the Korean Peninsula. The other one is about a meeting of the intergovernmental Russian-Mongolian commission.
In this blog post we provide on overview of this campaign that uses two different UAC bypass techniques and clever obfuscation tricks to remain under the radar.
Attack overview
The following diagram shows the overall flow used by this actor to compromise victims. The malicious activity starts from a document that executes a macro followed by a chain of activities that finally deploys the …
In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37.
We discovered two documents written in Russian language and weaponized with the same malicious macro. One of the lures is about the trade and economic issues between Russia and the Korean Peninsula. The other one is about a meeting of the intergovernmental Russian-Mongolian commission.
In this blog post we provide on overview of this campaign that uses two different UAC bypass techniques and clever obfuscation tricks to remain under the radar.
Attack overview
The following diagram shows the overall flow used by this actor to compromise victims. The malicious activity starts from a document that executes a macro followed by a chain of activities that finally deploys the …
IoC
062aa6a968090cf6fd98e1ac8612dd4985bf9b29e13d60eba8f24e5a706f8311
10109e69d1fb2fe8f801c3588f829e020f1f29c4638fad5394c1033bc298fd3f
4876a41ca8919c4ff58ffb4b4df54202d82804fd85d0010669c7cb4f369c12c3
491ed46847e30b9765a7ec5ff08d9acb8601698019002be0b38becce477e12f6
617f733c05b42048c0399ceea50d6e342a4935344bad85bba2f8215937bc0b83
7a8f0690cb0eb7cbe72ddc9715b1527f33cec7497dcd2a1010def69e75c46586
7f82540a6b3fc81d581450dbdf7dec7ad45d2984d3799084b29150ba91c004fd
80641207b659931d5e3cad7ad5e3e653a27162c66b35b9ae9019d5e19e092362
a7d5f7a14e36920413e743932f26e624573bbb0f431c594fb71d87a252c8d90d
d283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12
fccad2fea7371ad24a1256b78165bceffc5d01a850f6e2ff576a2d8801ef94fa
http://romanovawillkillyou.c1.biz
http://takemetoyouheart.c1.biz
http://taketodjnfnei898.c1.biz
http://taketodjnfnei898.c1.biz/dn.php?name=%UserName%&prefix=tt
http://taketodjnfnei898.c1.biz/up.php?name=%UserName%
http://taketodjnfnei898.ueuo.com
10109e69d1fb2fe8f801c3588f829e020f1f29c4638fad5394c1033bc298fd3f
4876a41ca8919c4ff58ffb4b4df54202d82804fd85d0010669c7cb4f369c12c3
491ed46847e30b9765a7ec5ff08d9acb8601698019002be0b38becce477e12f6
617f733c05b42048c0399ceea50d6e342a4935344bad85bba2f8215937bc0b83
7a8f0690cb0eb7cbe72ddc9715b1527f33cec7497dcd2a1010def69e75c46586
7f82540a6b3fc81d581450dbdf7dec7ad45d2984d3799084b29150ba91c004fd
80641207b659931d5e3cad7ad5e3e653a27162c66b35b9ae9019d5e19e092362
a7d5f7a14e36920413e743932f26e624573bbb0f431c594fb71d87a252c8d90d
d283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12
fccad2fea7371ad24a1256b78165bceffc5d01a850f6e2ff576a2d8801ef94fa
http://romanovawillkillyou.c1.biz
http://takemetoyouheart.c1.biz
http://taketodjnfnei898.c1.biz
http://taketodjnfnei898.c1.biz/dn.php?name=%UserName%&prefix=tt
http://taketodjnfnei898.c1.biz/up.php?name=%UserName%
http://taketodjnfnei898.ueuo.com