Konni RAT Malware Attack: Russian Govt. Software Backdoor
In a recent revelation, German cybersecurity firm DCSO has uncovered the Konni RAT malware attack, which involves the deployment of a Remote Access Trojan. The attackers ingeniously exploited an installer for a tool associated with the Russian Consular Department of the Ministry of Foreign Affairs (MID). This tool, named ‘Statistika KZU,’ was found to have been backdoored, leading to the delivery of the Konni RAT.
In this blog, we’ll delve into the intricate details of the Konni RAT malware attack, shedding light on its origins, modus operandi, and implications for cybersecurity.
Origin and Attribution Of The Konni RAT Malware Attack
The origin of this cyber activity has been traced to actors associated with the Democratic People’s Republic of Korea (DPRK), commonly known as North Korea. Remarkably, these DPRK-nexus actors were found targeting Russia, specifically the Russian Consular Department. The Konni activity cluster also recognized as Opal Sleet, Osmium, or TA406, has a documented history of deploying the Konni RAT against Russian entities.
The threat actor has been linked to attacks on the MID since at least October 2021. This revelation follows Fortinet FortiGuard Labs’ previous discovery in November 2023, wherein Russian-language Microsoft Word documents were utilized to distribute malware capable of harvesting sensitive information from compromised Windows hosts.
Konni RAT Malware Deployed via Russian Govt. Software Backdoor
DCSO highlighted the attackers’ technique of packaging the Konni RAT within software installers. Notably, this technique was previously observed in October 2023, when a backdoored Russian tax filing software named Spravki BK was used for the same purpose.
In this instance, the compromised installer was associated with the Statistika KZU malware tool intended for internal use within the Russian MID. Specifically, the tool facilitated the relay of annual report files from overseas consular posts to the Consular Department of the MID through a secure channel.
Infection Sequence
The trojanized installer, identified as an MSI file, triggers an infection sequence upon launch. This sequence establishes contact with a command-and-control (C2) server, awaiting further instructions from the attackers. The Konni RAT capabilities (command execution, file transfer, espionage) have been operational since at least 2014. It is also known to be utilized by other North Korean threat actors, including Kimsuky and ScarCruft (APT37).
Source, Motivation, And Geopolitical Implications
The source of the Russian government software backdoor installer remains unclear, as it is not publicly available. However, suspicions arise that the extensive history of espionage operations targeting Russia may have enabled the threat actors to identify potential tools for subsequent attacks.
While North Korea’s targeting of Russia is not a new phenomenon, the timing of this cyber threat is noteworthy. It occurs amid increasing geopolitical proximity between the two countries. Recent reports from North Korean state media reveal that Russian President Vladimir Putin gifted leader Kim Jong Un a luxury Russian-made car.
DCSO CyTec research suggests that despite growing strategic ties, North Korea maintains a keen interest in assessing and verifying Russian foreign policy planning and objectives. The discovery of the Konni RAT malware Russian Govt. software backdoor highlights the sophisticated tactics employed by cyber threat actors in compromising sensitive systems.
Conclusion
North Korean cyberattacks continue to pose significant threats to global cybersecurity infrastructure. The discovery of the Konni RAT deployed through a backdoored Russian Consular Department tool underscores the evolving landscape of cyber threats and geopolitical intricacies.
Konni RAT malware deployed using Russian Govt. software showcases the increasing sophistication of cyber threats targeting governmental systems. As cyber threats continue to transcend borders, organizations must remain vigilant and adopt robust cybersecurity measures to safeguard sensitive information and ensure business continuity.
The sources for this piece include articles in The Hacker News and Cyber Security News.