To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer
Contents
To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer
Earlier this year, DCSO observed an intriguing malware sample first uploaded to VirusTotal in mid-January 2024 that we believe to be part of North Korea-linked activity targeting the Russian Ministry of Foreign Affairs.
The malware itself appears to be KONNI, a North Korea (DPRK) nexus tool believed to have been used since as early as 2014. The use of KONNI in highly similar activity targeting the Russian Ministry of Foreign Affairs was previously observed by various researchers in a 2021 campaign. We have noted that additional researchers have independently uncovered the same upload that we assess in this blogpost and identified it as a KONNI sample.
Perhaps more interestingly, however, the sample was bundled into a backdoored Russian language software installer. This is a KONNI delivery technique that we have previously observed, with a sample from 2023 delivered via a backdoored …
Earlier this year, DCSO observed an intriguing malware sample first uploaded to VirusTotal in mid-January 2024 that we believe to be part of North Korea-linked activity targeting the Russian Ministry of Foreign Affairs.
The malware itself appears to be KONNI, a North Korea (DPRK) nexus tool believed to have been used since as early as 2014. The use of KONNI in highly similar activity targeting the Russian Ministry of Foreign Affairs was previously observed by various researchers in a 2021 campaign. We have noted that additional researchers have independently uncovered the same upload that we assess in this blogpost and identified it as a KONNI sample.
Perhaps more interestingly, however, the sample was bundled into a backdoored Russian language software installer. This is a KONNI delivery technique that we have previously observed, with a sample from 2023 delivered via a backdoored …
IoC
58bcd90f6f04c005c892267a3dfe91d1154d064482b07715ad5802f57c1ea32d
9339eaf1d77bb0324e393a08a6180fe0658761fc0cd20ba25081963286dfb9c7
b60dc12833110098f5eec9a51749d227db7a12d4e91a100a4fd8815695f1093f
http://24ev0apa.scienceontheweb.net
http://3cym4ims.medianewsonline.com
http://5s6bqbea.sportsontheweb.net
http://694qf6w8.scienceontheweb.net
http://88zr7cua.atwebpages.com
http://99695njd.myartsonline.com
http://c6cdg4su.sportsontheweb.net
http://cor8xcib.getenjoyment.net
http://g66nzt8q.mygamesonline.org
http://j1p75639.medianewsonline.com
http://jbkza9h7.atwebpages.com
http://mbfasq54.mypressonline.com
http://mhhnv7s9.myartsonline.com
http://p593d8g9.mygamesonline.org
http://p8tebfel.getenjoyment.net
http://t8nptw2h.mywebcommunity.org
http://tl2j38w9.mypressonline.com
http://victory-2020.atwebpages.com
http://victory-2024.mywebcommunity.org
http://w9uzs9la.mywebcommunity.org
http://zcvbm1zv.onlinewebshop.net
http://zomfaa9a.onlinewebshop.net
9339eaf1d77bb0324e393a08a6180fe0658761fc0cd20ba25081963286dfb9c7
b60dc12833110098f5eec9a51749d227db7a12d4e91a100a4fd8815695f1093f
http://24ev0apa.scienceontheweb.net
http://3cym4ims.medianewsonline.com
http://5s6bqbea.sportsontheweb.net
http://694qf6w8.scienceontheweb.net
http://88zr7cua.atwebpages.com
http://99695njd.myartsonline.com
http://c6cdg4su.sportsontheweb.net
http://cor8xcib.getenjoyment.net
http://g66nzt8q.mygamesonline.org
http://j1p75639.medianewsonline.com
http://jbkza9h7.atwebpages.com
http://mbfasq54.mypressonline.com
http://mhhnv7s9.myartsonline.com
http://p593d8g9.mygamesonline.org
http://p8tebfel.getenjoyment.net
http://t8nptw2h.mywebcommunity.org
http://tl2j38w9.mypressonline.com
http://victory-2020.atwebpages.com
http://victory-2024.mywebcommunity.org
http://w9uzs9la.mywebcommunity.org
http://zcvbm1zv.onlinewebshop.net
http://zomfaa9a.onlinewebshop.net