New day, new malware has become the norm for the cyber world now. A current spear-phishing campaign has been targeting Russia and using a new RAT variant.

What’s going on?

In late July, an ongoing spear-phishing campaign was discovered abusing two Russian language documents, which were laced with the same malicious macro. While one of the baits is about the economic and trade issues between the Korean Peninsula and Russia, the other one revolves around a meeting of the intergovernmental Russian-Mongolian commission. These documents are followed by a cascade of other activities that ultimately deploy Konni RAT.

About Konni RAT

First discovered in 2014, this malware is allegedly used by APT37 to target victims. 
  • While Konni RAT primarily focuses on South Korea and Russia, it has also been used to target Mongolia, Japan, Nepal, and Vietnam.
  • While several differences have been found in the past and recent campaigns, the main process is still the same. 
  • Konni has only been used in highly targeted attacks against the UN and UNICEF, among others. In addition to this, Konni might be related to the DarkHotel malware, experts surmise. 

Learning from the past

Last year, a CISA alert offered various recommendations to businesses to protect against Konni RAT - keep antivirus signatures and engines up-to-date, update OS, and restrict the ability to install unwanted software applications. 

The bottom line

The current Konni campaign leverages two distinct UAC bypass techniques and employs sophisticated obfuscation tricks. Therefore, it can be stated that the campaign is dangerous and proper cybersecurity defenses should be mounted. 

Cyware Publisher