Security experts uncovered a North Korean-linked cyberespionage group targeting Russian embassy diplomats with weaponized email attachments. Dubbed Konni, the threat actor group reportedly sent New Year greeting emails embedded with malware to infect the victim’s device. The Konni malware campaign has been active since December 2021, according to researchers from Cluster25.
Konni Remote Access Trojan
Cluster25 researchers claim that attackers distributing malicious ZIP files contained a Windows screensaver (.scr) file citing holiday greetings. Once the user opens the file, the Konni remote access trojan (RAT) malware automatically gets downloaded onto the device.
“These emails used the New Year Eve 2022 festivity as decoy theme. Contrary to its past actions, the North Korean APT group this time did not use malicious documents as attachments; instead, they attached a .zip file type named ‘поздравление.zip’, which means ‘congratulation’ in Russian, containing an embedded executable representing the first stage of the infection,” Cluster25 said.
Attacks From North Korean Actors Continue
State-sponsored actors from North Korea continue to target critical organizations worldwide. According to a cyberthreat research report from Proofpoint, the North Korean actors mostly target individuals from North America, Russia, and China. Tracked as Threat Actor 406 (TA406), the campaign reportedly stole users’ credentials and sensitive financial data from high-level officials, law enforcement officers, and experts in economics and finance.
The attackers have targeted the victims by masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for financial gain.