Skip to content Skip to footer

Russian gov software backdoored to deploy Konni RAT.

German cybersecurity firm DCSO has discovered that an installer for a tool, which is likely used by the Consular Department of the Ministry of Foreign Affairs (MID), has been backdoored to deliver a remote access called Konni RAT (also known as UpDog). According to DCSO, the activity originates from the Democratic People's Republic of Korea (DPRK)-nexus actors targeting Russia.

The Konni (Opal Sleet, Osmium, or TA406) activity cluster has a well-established pattern of deploying Konni RAT against entities. The threat actor has been linked to attacks directed against MID since October 2021. In November 2023, Fortinet FortiGuard Labs revealed the use of -language Microsoft Word documents to deliver malware capable of harvesting sensitive information from compromised Windows hosts.

DCSO said the group previously adopted the packaging of Konni RAT within software installers in October 2023 when it was found to leverage a backdoored tax filing software named Spravki BK to distribute the trojan. The backdoored installer appears to be for a tool called ‘Statistika KZU' (Cтатистика КЗУ), which is intended for internal use within the Ministry of Foreign Affairs (MID). Specifically, the tool is used for the relaying of annual report files from overseas consular posts (КЗУ — консульские загранучреждения) to the Consular Department of the MID via a secure channel.

When launched, the trojanized installer is an MSI file that initiates the infection sequence to establish contact with a command-and-control (C2) server to await further instructions. Konni RAT, which has capabilities for file transfers and command execution, is believed to have been used as early as 2014 and utilized by other North Korean threat actors known as Kimsuky and ScarCruft (aka APT37).

It is currently unclear how the threat actors obtained the installer, given that it is not publicly available. However, the long history of espionage operations targeting Russia may have helped them identify prospective tools for subsequent attacks. The development comes amid growing geopolitical proximity between and Russia. State media from the Hermit Kingdom reported this week that President Vladimir Putin has given leader Kim Jong Un a luxury -made car.

DCSO said, “To some extent, this should not come as a surprise; increasing strategic proximity would not be expected to fully overwrite extant DPRK collection needs, with an ongoing need on the part of the DPRK to be able to assess and verify foreign policy planning and objectives.”

Overall, the discovery highlights the importance of software security and the need for organizations to take appropriate measures to safeguard their systems against malicious actors.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You've enjoyed all the power you've been given, haven't you? I wonder how you'd take to working in a pocket calculator.Master Control Program

Deitasoft © 2024. All Rights Reserved.