Hacked Microsoft Word documents being used to trick Windows users
North Koreans are trying to steal sensitive data from Russian targets using malicious Microsoft Word documents, experts claim.
These are the findings of Fortinet’s researcher Cara Lin, who observed a group called Konni (but could be Kimsuky AKA APT43 due to some overlaps it has with the known threat actor) attempting to deliver a malicious Russian-language Microsoft document to its victims deliver .
The malware, as you would expect, comes in the form of a macro. This script starts an intermediate batch script that checks the system, bypasses the User Account Control (UAC) settings, and ultimately deploys an infostealing DLL.
Friend or enemy?
“This campaign is based on a remote access trojan (RAT) that can extract information and execute commands on compromised devices,” Lin said in the report. “The payload includes a UAC bypass and encrypted communication with a C2 server, allowing the threat actor to execute privileged commands.”
The document being distributed contains an article in Russian language, reportedly on “Western assessments of the progress of the Special Military Operation.”
In his writing, The hacker news says Konni is “notable” for his attacks on Russia.
Typically, the group used spearphishing emails and malicious documents to gain access to target endpoints. Previous attacks, spotted by cybersecurity researchers Knowsec and ThreatMon, exploited a vulnerability in WinRAR (CVE-2023-38831). “Konni’s main objectives include data exfiltration and conducting espionage activities,” ThreatMon said. “To achieve these goals, the group uses a wide range of malware and tools, regularly adapting its tactics to avoid detection and attribution.”
This isn’t the first time we’ve seen North Korean hackers targeting Russian companies. Last summer, two separate groups – ScarCruft and Lazarus Group – went to NPO Mashinostroyenia, a major Russian rocket design company. While ScarCruft managed to compromise its “sensitive internal IT infrastructure,” including an email server, Lazarus used a Windows backdoor known as OpenCarrot.