Russian Government Software Backdoored to Deploy Konni RAT Malware

German cybersecurity company DCSO has shed light on a malware sample that is believed to be part of North Korea-linked activity targeting the Russian Ministry of Foreign Affairs. Dubbed KONNI, the trojan was uploaded to VirusTotal in mid-January 2024 and is believed to have been used since as early as 2014. In the latest campaign uncovered by DSCO, KONNI was observed being distributed via a backdoor installer for a Russian-language tool named “Statistika KZU,” intended for use within the Russian Ministry of Foreign Affairs. The installer is an MSI file, that when launched, initiates an infection sequence to establish contact with a command-and-control (C2) server to await further instructions. Given this installer is not publicly available, it’s unclear how the actors were able to get a hold of it. Researchers suspect that the long history of espionage operations targeting Russia may have helped them identify prospective tools for subsequent attacks.

Security Officer Comments:
KONNI initially served as an infostealer and steadily increased features over the years including remote administration capabilities. Current samples seem to come with only a minimal set of capabilities for file transfers and only permit operations to execute commands and receive their output, upload and download files, and specify sleep intervals.

According to researchers, KONNI has been used to target Russian entities in several instances in the last couple of years, including a campaign in 2021 targeting the Russian Ministry Of Foreign Affairs as well another campaign disclosed by Microsoft in March 2023 targeting Russian diplomatic government entities with phishing e-mails. The latest campaign showcases a continuation of such targeting, with actors employing new tactics to conduct their operations and go undetected for longer periods of time.

Suggested Corrections:
Spear-phishing emails and malicious documents typically act an an entry point to deploy KONNI RAT. As such, users should be careful not to open links or attachments in emails that come from unknown senders. DSCO has also published a set of IOCs which can be useful for detection purposes: