An installer of a tool possibly used by the Russian Consular Department of the Ministry of Foreign Affairs (MID) has been backdoored to deliver a remote access trojan called Konni RAT (aka UpDog).
The findings come from German cybersecurity firm DCSO, which linked the activity as originating from Democratic People’s Republic of Korea (DPRK) nexus actors targeting Russia.
The Konni (also known as Opal Sleet, Osmium, or TA406) activity cluster has an established pattern of deploying Konni RATs against Russian entities, with the threat actor also linked to direct attacks against MIDs since at least October 2021.
In November 2023, Fortinet FortiGuard Labs disclosed the use of Russian-language Microsoft Word documents to spread malware that can collect sensitive information from compromised Windows hosts.
DCSO said that inserting Konni RAT into software installers is a technique previously adopted by the group in October 2023, when it was discovered to exploit a backdoor Russian tax filing software called Spravki BK to distribute the Trojan.
“In this case, the backdoor installer appears to be for a tool called ‘Statistika KZU’ (Cтатистика КЗУ),” the Berlin-based company said.
“Based on the installation paths, file metadata, and user manuals included in the installer, […] the software is intended for internal use within the Russian Ministry of Foreign Affairs (MID), in particular for forwarding files of annual reports from consular offices abroad (КЗУ — консульские загранучреждения) to the consular department of the MID through a safe channel.”
The trojanized installer is an MSI file that, once launched, initiates the infection sequence to establish contact with a command and control (C2) server to await further instructions.
The remote access Trojan, which has file transfer and command execution capabilities, is believed to have been used as early as 2014 and has also been used by other well-known North Korean threat actors such as Kimsuky and ScarCruft (aka APT37) .
It is currently unclear how the threat actors managed to obtain the installer, given that it is not publicly obtainable. But it is suspected that Russia’s long history of espionage operations against Russia may have helped it identify potential tools for follow-up attacks.
While North Korea’s targeting of Russia is nothing new, the development comes against a backdrop of growing geopolitical closeness between the two countries. State media in the Hermit Kingdom reported this week that Russian President Vladimir Putin gave leader Kim Jong Un a Russian-made luxury car as a gift.
“To some extent, this should not be surprising; increasing strategic proximity would not be expected to completely overwrite the DPRK’s current collection needs, with the DPRK’s continued need to be able to assess and verify policy planning Russian foreign and objectives,” DCSO said.