Hackers suspected of working for the North Korean government compromised the email account of a Russian Foreign Ministry (MID) staff member and deployed spear attacks against the country’s diplomats in other regions.
One of the targets was Sergei Alexeevich Ryabko, deputy foreign minister of the Russian Federation, responsible in particular for bilateral relations with North and South America.
The phishing campaign began at least on October 19, 2021, deploying the Konni malware, a remote administration tool (RAT) associated with the cyber activity of North Korean hackers known as APT37 (or StarCruft, Group123, Operation Erebus and Operation Daybreak).
Russian diplomatic objectives
Cyber security firm Cluster25 last week published research about a phishing campaign in late December 2021 that delivered Konni RAT to individuals in the Russian diplomatic apparatus.
The researchers found that the hackers were using the New Year’s theme as a lure in emails to staff at the Russian Embassy in Indonesia.
It was a congratulatory message that appeared to come from fellow diplomats at the Russian Embassy in Serbia sending a ZIP archive with a holiday screensaver.
When extracted, the file was an executable which ultimately shipped the Konni RAT disguised as a Windows service “scrnsvc.dll”.
Lumen’s Black Lotus Labs researchers were also tracking these spear-phishing campaigns that had started at least two months earlier, with the likely goal being to harvest the credentials of an active MID account.
To achieve their goal, the attackers relied on spoofed host names for common email services in Russia, Mail.ru and Yandex.
Another campaign started around November 7, providing URLs to download an archive with documents requesting information on immunization status.
The archive also included an executable masquerading as legitimate software used to check the status of the Covid-19 vaccination, which ran a malware loader that infected the system with Konni.
According to researchers at Black Lotus Labs, the December campaign also spotted by Cluster25 was the third by the same threat actor and used the compromised MID account “mskhlystova @ mid[.]ru “to send malicious emails.
The recipients of the malicious messages were the Russian Embassy in Indonesia and Russian politician Sergey Alexeyevich Ryabkov, currently Deputy Foreign Minister.
Examination of the email headers revealed that the source of the messages was the same IP address, 152.89.247[.]26, used for the phishing campaign in October, Black Lotus Labs found.
Technical analysis of the infection chain by researchers at Lumen confirmed the findings of Cluster25, including the evasion technique of hiding a payload in a “401 unauthorized” server error response.
Black Lotus Labs researchers say it was a highly targeted campaign that “downloaded a first stage agent that is almost identical to the agent” discovered by Malwarebytes in an attack by Konni on Russian targets.
Both cybersecurity groups are convinced to attribute the spear-phishing campaigns against Russian diplomatic entities to Konni’s advanced persistent threat.