Konni Group Uses Russian-Language Malicious Word Docs in Latest Attack

Nov 23, 2023NewsroomMalware / Cyber​​​​ Espionage

Espionage Attacks

A new phishing attack has been observed that uses a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts.

The activity is attributed to a threat actor called Konni.

“This campaign relies on a remote access trojan (RAT) capable of obtaining information and executing commands on compromised devices,” Fortinet FortiGuard Labs researcher Cara Lin said. SAYS in an analysis published this week.

The cyber espionage group is famous for this target of Russiawith a modus operandi involving the use of spear-phishing emails and malicious documents as entry points for their attacks.


Recent attacks documented by Knowsec and ThreatMon exploit a vulnerability in WinRAR (CVE-2023-38831) as well as obfuscated Visual Basic scripts to drop Konni RAT and a Windows Batch script capable of collecting data from infected machines.

“Konni’s main purpose includes data exfiltration and conducting espionage activities,” ThreatMon SAYS. “To achieve these goals, the group uses a wide range of malware and tools, constantly adapting their tactics to avoid detection and identification.”

The latest attack sequence observed by Fortinet includes a macro-laced Word document that, if possible, appears to be an article in Russian purportedly about “Western Assessments of the Progress of the Special Military Operation.”

The Visual Basic for Application (VBA) macro proceeds to launch an interim Batch script that performs system checks, User Account Control (UAC) bypass, and finally paves the way for the deployment of a DLL file that includes information gathering and exfiltration capabilities.

“The payload includes a UAC bypass and encrypted communication with a C2 server, which enables the threat actor to execute privileged commands,” said Lin.


Konni is far from the only North Korean threat actor to choose Russia. Evidence gathered by Kaspersky, Microsoft, and SentinelOne shows that the adversarial collective called ScarCruft (aka APT37) is also targeting trading companies and missile engineering firms located in the country.

The disclosure also comes less than two weeks after Solar, the cybersecurity arm of Russian state-owned telecom company Rostelecom, revealed that threat actors from Asia – particularly those from China and North Korea – were responsible for most of attacks against the country’s infrastructure.

“The North Korean Lazarus group is also active on the territory of the Russian Federation,” the company said SAYS. “In early November, Lazarus hackers had access to several Russian systems.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment