The North Korean hacking group Konni APT is conducting phishing campaigns targeting Ukrainian government institutions, according to the American company Proofpoint, which specializes in corporate security.
The North Korean hacking group Konni APT is conducting phishing campaigns targeting Ukrainian government institutions, according to the American company Proofpoint, which specializes in corporate security.
The Konni APT, also known as Opal Sleet, Osmium, TA406, and Vedalia, is a cyberespionage group with a history of attacks on institutions in South Korea, the United States, and Russia. It has been operating since at least 2014.
The recorded set of attacks involves the use of phishing emails that impersonate a fictional senior fellow at a think tank called the Royal Institute for Strategic Studies, which is a non-existent organization, The Hacker News reports .
The emails contain a link to a password-protected RAR archive hosted on the MEGA cloud service. Opening the RAR archive using the password provided in the body of the message triggers an infection sequence designed to conduct large-scale reconnaissance of compromised machines.
Specifically, the RAR archive contains a CHM file that displays bait content related to Valery Zaluzhny. If the victim clicks anywhere on the page, a PowerShell command embedded in the HTML is executed to contact an external server and download the following PowerShell package.
The PowerShell script being run is capable of executing various commands to collect system information, encode it using Base64, and send it to the same server.
«The hackers sent multiple phishing emails over several consecutive days. When the victim did not click on the link, they were asked if they had received the previous emails and if they would download the files,» the researchers said.
Proofpoint also reported seeing an HTML file distributed directly as an attachment to phishing emails. In this attack variant, the victim is instructed to click on an embedded link in the HTML file, which downloads a ZIP archive containing a safe PDF file and a Windows shortcut (LNK) file.
When the LNK is executed, it executes Base64-encoded PowerShell to delete a Javascript file called «Themes.jse» using a Visual Basic script. The JSE malware, in turn, contacts a URL controlled by the hackers and triggers a response from the server via PowerShell. The exact nature of the payload is currently unknown.
Additionally, TA406 was observed attempting to harvest credentials by sending fake Microsoft security messages to Ukrainian government agencies from ProtonMail accounts, alerting them to suspicious login activity from IP addresses located in the United States and urging them to confirm the login by clicking a link.
Although the credential collection page has not been restored, the same compromised domain is said to have been used in the past to collect Naver login information.
«It is highly likely that TA406 is collecting intelligence to help the North Korean leadership determine the current risk to its troops already engaged in hostilities, as well as the likelihood that Russia will request more troops or weapons,» Proofpoint explains.
«Unlike Russian groups, which are likely tasked with gathering tactical battlefield information and identifying targets against Ukrainian forces on the ground, TA406 typically focuses on more strategic efforts to gather political intelligence,» the cyber experts added.
