A backdoor has been included in an installer for a utility that is probably used by the Ministry of Foreign Affairs (MID)’s Russian Consular Department to distribute the remote access trojan Konni RAT (also known as UpDog).
The investigation was conducted by German cybersecurity firm DCSO, which concluded that actors with ties to the Democratic People’s Republic of Korea (DPRK) were behind the action, which was directed towards Russia.
The Konni activity cluster, also known as Opal Sleet, Osmium, or TA406, has a documented history of using Konni RAT against Russian organisations. Since October 2021, at least, the threat actor has also been connected to assaults on MID.
In November 2023, Fortinet FortiGuard Labs made public the use of Microsoft Word documents written in Russian as a vehicle for malware that can infect Windows computers and retrieve confidential data.
According to DCSO, the organisation first used the tactic of packaging Konni RAT inside software installers in October 2023 when it was discovered that the malware was being distributed using a backdoored Russian tax filing programme called Spravki BK.
The Berlin-based company stated, “In this case, the backdoored installer seems to be for a utility named ‘Statistika KZU’ (Cтатистика ОЗY).
“On the basis of install paths, file metadata, and user manuals bundled into the installer, […] the software is intended for internal use within the Russian Ministry of Foreign Affairs (MID), specifically for the relaying of annual report files from overseas consular posts (КЗУ — консульскиe загранучреждения) to the Consular Department of the MID via a secure channel.”
An MSI file known as the trojanized installer launches the infection sequence by establishing communication with a command-and-control (C2) server in order to obtain additional instructions.
The remote access trojan is thought to have been used as early as 2014 and has also been used by ScarCruft (also known as APT37) and Kimsuky, two additional North Korean threat actors. It also has the ability to execute commands and transfer files.
Since the installer isn’t available to the general public, it’s still unclear how the threat actors were able to access it. However, it’s thought that their lengthy history of espionage against Russia may have made it easier for them to find potential targets for future assaults.
While North Korea’s targeting of Russia is not new, the development comes amid growing geopolitical proximity between the two countries. State media from the Hermit Kingdom reported this week that Russian President Vladimir Putin has given leader Kim Jong Un a luxury Russian-made car.
“To some extent, this should not come as a surprise; increasing strategic proximity would not be expected to fully overwrite extant DPRK collection needs, with an ongoing need on the part of the DPRK to be able to assess and verify Russian foreign policy planning and objectives,” DCSO said.